Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Bagle.CY

   
Aliases: Win32.Bagle.DU@mm (Bitdefender), Email-Worm.Win32.Bagle.du (Kaspersky)
Type: Worm
Systems Affected: 32-bit Windows

Introduction:

Win32/Bagle.CY is a typical mass-mailing e-mail worm. The worm is runtime cmpressed and is 30310 bytes in size. This threat contains a Trojan component and tries to mass mail the Trojan via
Built-in functionality.

Installation and Autostart Techniques:

Upon execution the worm copies itself into the %System% folder as "windll2.exe".

Note: %System% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

The worm adds the following registry keys to the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Ru1n
"erthegdr" = "%System%/windll2.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
"erthegdr" = "%System%/windll2.exe"

Note: "Ru1n" is only an infection marker, it will NOT reload the worm upon next system start.

Win32/Bagle.CY also scans for the following keys

HKLM\Software\Microsoft\Windows\CurrentVersion\Ru1n
HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n

and tries to delete these keys if they are present:

"My AV", "Zone Labs Client Ex", "9XHtProtect", "Antivirus", "Special Firewall Service", "service", "Tiny AV", "ICQNet", "HtProtect", "NetDy", "Jammer2nd", "FirewallSvr", "MsInfo", "SysMonXP", "EasyAV", "PandaAVEngine",
"Norton Antivirus AV", "KasperskyAVEng", "SkynetsRevenge", "ICQ Net"

Mutex Creation to Prevent Netsky Worms from Working:

In order to prevent Netsky worms from running, Bagle.CY creates the following NetSky mutexes:

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

Automatic Deactivation:

If the current System date is the 23. September of the year 2006 the worm tries to delete the following registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n\ewrt

and

HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n\ erthegdr


Illustration of the time checking in the bagle worm.

After successfully removing the registry entries, the worm will terminate itself on this date or later.

Downloading Component:

The worm tries to download the following files:

http://localhost/{Removed}/sss.php
http://localhost/{Removed}/script2.php
http://localhost/{Removed}/script3.php
http://clickhare.com/{Removed}/web.php
http://amerikansk-bulldog.dk/{Removed}/web.php
http://eventpeopleforyou.com/{Removed}/web.php
http://fyeye.com/{Removed}/web.php
http://ligapichangueras.cl/{Removed}/web.php
http://ekshrine.com/{Removed}/web.php
http://directeenhuis.nl/{Removed}/web.php
http://creacionesartisticasandaluzas.com/{Removed}/web.php

and tries to store this file as "EML.EXE".

E-mail Sending:

The sender email addresses are spoofed and may appear to be sent by a familiar source.
This worm uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of the embedded trojan to other email addresses.

The worm will not send emails to email addresses containing one of the following strings:

@eerswqe @derewrdgrs @microsoft rating@ f-secur news update anyone@ bugs@ contract@ feste gold-certs@ help@ info@ nobody@ noone@ kasp admin icrosoft
support ntivi unix bsd linux listserv certific sopho @foo @iana free-av @messagelab winzip
google winrar samples abuse panda cafee spam pgp @avp. noreply local root@ postmaster@

E-mail Subjects:

E-mail subjects are empty.

Message Body:

The E-mail Message Body contains one of the following texts:

new price
price
The password is
Password:

E-mail Attachments:

The worm uses one of the following file names, with a ZIP extension, for the embedded Trojan:

price
price2
price_new
price_09
09_price
newprice
new_price
new__price

Backdoor Component:

The worm also provides Backdoor functionality on Port 80 (TCP/IP)

Other Details:

The worms uses IP 194.190.195.66 as DNS Server, a Russian telecom Server. (ns.telekom.ru)

History: Analysis and Write-up by: Michael St. Neitzel