Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Bagle.AI

Win32/Bagle.AI is an internet worm spreading as an e-mail attachment. It arrives in a ZIP file containing two files: price.html and price.exe

When price.html is opened, it executes the price.exe file.

Price.exe has 14848 bytes. When executed, it copies itself into the %system% directory using a name WINDirect.exe. It creates a value with name win_upd2.exe in the following Registry keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The value points to WINDirect.exe.

Then a 11776 bytes long downloader is dropped into %system%\_dll.exe. This downloader is executed by injecting code into the explorer.exe process. It tries to terminate following processes:

ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
sys_xp.exe
sysxp.exe
winxp.exe

It has a list of 204 URLs it repeatedly tries to download, save as "~.exe" in %windir% and execute. This way, the Win32/Bagle.AI executable is downloaded and launched. Size of this file is about 19 kB. It copies itself into %system%/windll.exe. Two other files, named "windll.exeopen" and "windll.exeopenopen" are created in the same directory. These files are identical to the windll.exe

The worm searches for addresses for further spreading in files with one of these extensions:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml

It contains a list of strings it compares against found addresses. This way it avoids sending itself to addresses containing some of the following:

@avp.
@derewrdgrs
@eerswqe
@foo
@iana
@messagelab
@microsoft
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip

Win32/Bagle.AI starts sending e-mails to addressess it found.

Subject of the message is blank. Body of the message is either "price" or "new price".

The messages carry the ZIP archive mentioned earlier as an attachment. Its name is picked from the following list:

08_price
new_price
new__price
newprice
price
price2
price_08
price_new

The worm is also able to spread by copying itself into directories with names that contain a substring "shar". It uses the following filenames:

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
KAV 5.0
Kaspersky Antivirus 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno Screensaver.scr
Porno pics arhive, xxx.exe
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

Besides the Bagle mailer executable, the downloader is also able to download another executable. The file is 2052 bytes long. When it's started for the first time, it visits http://www.die-cliquee.de/get.php. Whatever there is, it is downloaded, saved into %windir% with random filename, and executed. However, this URL might only be used for notification purposes. The executable also listens on TCP port 12345, but it closes incoming connections after a short delay.

NOD32 detected Win32/Bagle.AI worm using advanced heuristics without an update.
Detection using a sample is added since version 1.836.