Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

E-mail Subject

The subject of an e-mail with Win32/Bagle.GM is chosen from the list below.

 

Ales

Alice

Alyce

Andrew

Androw

Androwe

Ann

Anna

Anne

Annes

Anthonie

Anthony

Anthonye

Avice

Avis

Bennet

Bennett

Constance

Cybil

Daniel

Danyell

Dorithie

Dorothee

Dorothy

Edmond

Edmonde

Edmund

Edward

Edwarde

Elizabeth

Elizabethe

Ellen

Ellyn

Emanual

Emanuel

Emanuell

Ester

Frances

Francis

Fraunces

Gabriell

Geoffraie

George

Grace

Harry

Harrye

Henrie

Henry

Henrye

Hughe

Humphrey

Humphrie

Christean

Christian

Isabel

Isabell

James

Jane

Jeames

Jeffrey

Jeffrye

Joane

Johen

John

Josias

Judeth

Judith

Judithe

Katherine

Katheryne

Leonard

Leonarde

Margaret

Margarett

Margerie

Margerye

Margret

Margrett

Marie

Martha

Mary

Marye

Michael

Mychaell

Nathaniel

Nathaniell

Nathanyell

Nicholas

Nicholaus

Nycholas

Peter

Ralph

Rebecka

Richard

Richarde

Robert

Roberte

Roger

Rose

Rycharde

Samuell

Sara

Sidney

Sindony

Stephen

Susan

Susanna

Suzanna

Sybell

Sybyll

Syndony

Thomas

Valentyne

William

Winifred

Wynefrede

Wynefreed

Wynnefreede

 

Also the archive name is chosen from the list above. It contains executable file with the worm. The archive is protected by a password that is in attached picture.

 

E-mail Body:

E-mail body can begin with one of following salutations:

 

To the beloved

I love you

 

The message continues further with one of the following texts:

 

The password is

Password --

Use password to open archive.

Password is

Zip password:

archive password:

Password -

Password:

 

Installation and Autostart Technique

Upon first execution Win32/Bagle.GM copies itself in C:\Documents and Settings\username\Application Data\hidn directory as “hidn.exe“. In the same directory it creates “m_hook.sys“. This file disguise the worm in the system. It uses the techniques of so called Rootkits.

 

In order to be run on every system start, the worm sets "drv_st_key" registry entry in the key:

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

 

Its value is set every five minutes on "C:\Documents and Settings\username\Application Data\hidn\hidn.exe"

 

Further, it creates C:\error.gif file containing „Error” text. Then it creates the picture using appropriate picture viewer.

 

The worm tries to terminate and ban following services:

Aavmker4

ABVPN2K

ADBLOCK.DLL

ADFirewall

AFWMCL

Ahnlab task Scheduler

alerter

AlertManger

AntiVir Service

AntiyFirewall

ARP.DLL

aswMon2

aswRdr

aswTdi

aswUpdSv

Ati HotKey Poller

avast! Antivirus

avast! Mail Scanner

avast! Web Scanner

AVEService

AVExch32Service

AvFlt

Avg7Alrt

Avg7Core

Avg7RsW

Avg7RsXP

Avg7UpdSvc

AvgCore

AvgFsh

AVGFwSrv

AvgFwSvr

AvgServ

AvgTdi

AVIRAMailService

AVIRAService

avpcc

AVUPDService

AVWUpSrv

AvxIni

awhost32

backweb client-4476822

backweb client - 4476822

BackWeb Client - 7681197

Bdfndisf

bdftdif

bdss

BlackICE

BsFileSpy

BsFirewall

BsMailProxy

CAISafe

ccEvtMgr

ccPwdSvc

ccSetMgr

ccSetMgr.exe

CONTENT.DLL

DefWatch

DNSCACHE.DLL

drwebnet

dvpapi

dvpinit

ewido security suite control

ewido security suite driver

ewido security suite guard

F-Prot Antivirus Update Monitor

F-Secure Gatekeeper Handler Starter

firewall

fsbwsys

FSDFWD

FSFW

FSMA

FTPFILT.DLL

FwcAgent

fwdrv

Guard NT

HSnSFW

HSnSPro

HTMLFILT.DLL

HTTPFILT.DLL

IMAPFILT.DLL

InoRPC

InoRT

InoTask

Ip6Fw

Ip6FwHlp

KAVMonitorService

KAVSvc

KLBLMain

KPfwSvc

KWatch3

KWatchSvc

MAILFILT.DLL

McAfee Firewall

McAfeeFramework

McShield

McTaskManager

mcupdmgr.exe

MCVSRte

Microsoft NetWork FireWall Services

MonSvcNT

MpfService

navapsvc

NDIS_RD

Ndisuio

Network Associates Log Service

nipsvc

NISSERV

NISUM

NNTPFILT.DLL

NOD32ControlCenter

NOD32krn

NOD32Service

Norman NJeeves

Norman Type-R

Norman ZANDA

Norton AntiVirus Server

NPDriver

NPFMntor

NProtectService

NSCTOP

nvcoas

NVCScheduler

nwclntc

nwclntd

nwclnte

nwclntf

nwclntg

nwclnth

NWService

OfcPfwSvc

Outbreak Manager

Outpost Firewall

OutpostFirewall

PASSRV

PAVAGENTE

PavAtScheduler

PAVDRV

PAVFIRES

PAVFNSVR

Pavkre

PavProc

PavProt

PavPrSrv

PavReport

PAVSRV

PCC_PFW

PCCPFW

PersFW

Personal Firewall

POP3FILT.DLL

PREVSRV

PROTECT.DLL

PSIMSVC

qhwscsvc

Quick Heal Online Protection

ravmon8

RfwService

SAVFMSE

SAVScan

SBService

SECRET.DLL

SharedAccess

schscnt

SmcService

SNDSrvc

SPBBCSvc

SpiderNT

SweepNet

SWEEPSRV.SYS

Symantec AntiVirus Client

Symantec Core LC

T_H_S_M

The_Hacker_Antivirus

tm_cfw

Tmntsrv

TmPfw

tmproxy

tmtdi

V3MonNT

V3MonSvc

Vba32ECM

Vba32ifs

Vba32Ldr

Vba32PP3

VBCompManService

VexiraAntivirus

VFILT

VisNetic AntiVirus Plug-in

vrfwsvc

vsmon

VSSERV

WinAntivirus

WinRoute

wscsvc

wuauserv

xcomm

 

E-mail Addresses Harvesting

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

 

.adb

.asp

.cfg

.cgi

.dbx

.dhtm

.eml

.htm

.jsp

.mbx

.mdx

.mht

.mmf

.msg

.nch

.ods

.oft

.php

.pl

.sht

.shtm

.stm

.tbb

.txt

.uin

.wab

.wsh

.xls

.xml

 

Addresses containing one of the following strings are avoided:

 

..

.@

@.

@avp.

@foo

@iana

@messagelab

abuse

admin

anyone@

bsd

bugs@

cafee

certific

contract@

f-secur

feste

free-av

gold-certs@

google

help@

icrosoft

info@

kasp

linux

listserv

local

news

nobody@

noone@

noreply

ntivi

panda

pgp

postmaster@

rating@

root@

samples

sopho

spam

support

unix

update

winrar

winzip

 

Other Information:

The worm tries to download file from one of 99 addresses every two hours. Then it is saved as "%system%\re_file.exe" and subsequently executed.

 

NOD32 detected Win32/Bagle.GM worm using advanced heuristics without an update.
A signature for Win32/Bagle.GM was added in version 1.822.