Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Bagle.CT

   
Aliases: W32.Beagle.CG@mm (Symantec), Win32.Bagle.DQ@mm (Bitdefender), Email-Worm.Win32.Bagle.dq (Kaspersky), W32/Bagle.EW.worm (Panda)
Type: Worm
Systems Affected: 32-bit Windows

Introduction:

Win32/Bagle.CT is a 31348 byte, typical mass-mailing worm that is runtime compressed. This threat contains a trojan component and tries to send this trojan via mass-mailing functionality.

Installation and Autostart Techniques:

Upon execution the worm copies itself into the %System% folder as "windll2.exe".

Note: %System% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

The worm adds the following keys to the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Ru1n
"erthegdr" = "%System%/windll2.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
"erthegdr" = "%System%/windll2.exe"

"Ru1n" is only an infection marker, it will NOT reload the worm upon next system start.

Win32/Bagle.CT also scans for the following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Ru1n
HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n

and tries to delete these keys if they are present:

"My AV", "Zone Labs Client Ex", "9XHtProtect", "Antivirus", "Special Firewall Service", "service", "Tiny AV", "ICQNet", "HtProtect", "NetDy", "Jammer2nd", "FirewallSvr", "MsInfo", "SysMonXP", "EasyAV", "PandaAVEngine",
"Norton Antivirus AV", "KasperskyAVEng", "SkynetsRevenge", "ICQ Net"

Mutex Creation to Prevent Netsky Worms from Working

The worm creates the following NetSky worm mutexes:

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

to prevent several Netsky Worm versions from running.

Automatic Deactivation:

If the current System date is the 23 September 2006 the worm tries to delete the following registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n\ewrt
HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n\ erthegdr

After successfully removing these keys, the worm will terminate itself on this date or later.


Illustration of the time checking in the bagle worm.

Downloading Component:

The worm tries to download the following files:

http://localhost/{Removed}/sss.php
http://localhost/{Removed}/script2.php
http://localhost/{Removed}/script3.php
http://clickhare.com/{Removed}/web.php
http://amerikansk-bulldog.dk/{Removed}/web.php
http://eventpeopleforyou.com/{Removed}/web.php
http://fyeye.com/{Removed}/web.php
http://ligapichangueras.cl/{Removed}/web.php
http://ekshrine.com/{Removed}/web.php
http://directeenhuis.nl/{Removed}/web.php
http://creacionesartisticasandaluzas.com/{Removed}/web.php

and tries to store this file as "EML.EXE".

E-mail Sender:

The sender email addresses are spoofed and may appear to be sent by a familiar source.
This worm uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of the embedded trojan.

The worm will not send to email addresses which containing any of the following strings:

@eerswqe @derewrdgrs @microsoft rating@ f-secur news update anyone@ bugs@ contract@ feste gold-certs@ help@ info@ nobody@ noone@ kasp admin icrosoft
support ntivi unix bsd linux listserv certific sopho @foo @iana free-av @messagelab winzip
google winrar samples abuse panda cafee spam pgp @avp. noreply local root@ postmaster@

E-mail Subjects:

E-mail subject lines are empty.

Message Body:

The E-mail message body contains one of the following texts:

new price
price
The password is
Password:

E-mail Attachments:

The worm attaches the Trojan with one of the following file names:

Price.zip
price2.zip
price_new.zip
price_09.zip
09_price.zip
newprice.zip
new_price.zip
new__price.zip

Backdoor Component:

The worm also provides backdoor functionality on Port 80 (TCP/IP)

Other Details:

The worm uses IP 194.190.195.66 as DNS Server, a Russian telecom server. (ns.telekom.ru)

History: Analysis and Write-up by: Michael St. Neitzel