Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Bagle.AQ

Win32/Bagle.AQ is an internet worm spreading via e-mail messages, P2P networks or shared network drives.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

Subject of the message sent by the worm can be one of the following:

Re:
Re: Hello
Re: Hi
Re: Thank you!
Re: Thanks :)

The attachment of the message is an executable file. Below is the list of possible names of the attachment:

Joke
Price
price

Executable attachment has one of the four possible extensions: ".exe", ".scr", ".com" or ".cpl". Body of the e-mail consist of text ":)" or":))"

If executed Win32/Bagle.AQ the worm copies itself in the %system% directory using a name "bawindo.exe". In order to be executed every time the Windows is started, the worm creates an entry called "bawindo" in the Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Value of the new entrz to the Registry will be set to "%system%\bawindo.exe".

The entries below are deleted from the Registry keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run:

9XHtProtect
Antivirus
EasyAV
FirewallSvr
HtProtect
ICQ Net
ICQNet
Jammer2nd
KasperskyAVEng
MsInfo
My AV
NetDy
Norton Antivirus AV
PandaAVEngine
service
SkynetsRevenge
Special Firewall Service
SysMonXP
Tiny AV
Zone Labs Client Ex

The following is a list of processes the worm tries to teminate:

alogserv.exe
APVXDWIN.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
Avconsol.exe
AVENGINE.EXE
AVPUPD.EXE
Avsynmgr.exe
AVWUPD32.EXE
AVXQUAR.EXE
blackd.exe
ccApp.exe
ccEvtMgr.exe
ccProxy.exe
ccPxySvc.exe
CFIAUDIT.EXE
DefWatch.exe
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
FrameworkService.exe
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
LUCOMS~1.EXE
mcagent.exe
mcshield.exe
MCUPDATE.EXE
mcvsescn.exe
mcvsrte.exe
mcvsshld.exe
navapsvc.exe
navapw32.exe
NISUM.EXE
nopdb.exe
NPROTECT.EXE
NUPGRADE.EXE
OUTPOST.EXE
PavFires.exe
pavProxy.exe
pavsrv50.exe
Rtvscan.exe
RuLaunch.exe
SAVScan.exe
SHSTAT.EXE
SNDSrvc.exe
symlcsvc.exe
UPDATE.EXE
UpdaterUI.exe
Vshwin32.exe
VsStat.exe
VsTskMgr.exe

In order to extract e-mail addresses for further spreading, files with following extensions are searched for:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml

Win32/Bagle.AB avoids sending itself to an address containing one of the strings below:

@avp.
@foo
@hotmail
@iana
@messagelab
@microsoft
@msn
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip

Win32/Bagle.AQ searches local drives for directories, that contain the "shar" string in their names. The worm is copied in such directories using the following names:

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

This way the worm is able to spread via various P2P networks and other shared resources. Win32/Bagle.AQ has a backdoor function, it opens the TCP port 81. Worm tries to download file ws.jpg from one of 145 hardcoded servers. When the download succeeds file ws.jpg is executed.

NOD32 detected this worm using Advanced Heuristics without the need to update the virus database. Detection of Win32/Bagle.AQ using a sample is available since version 1.880.