Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Bagle.F

Win32/Bagle.F is an internet worm spreading in a form of an e-mail attachment, via P2P networks or using shared folders.

The subject of the e-mail message is one of the following:

Aline
Anna
Audra
Bad girl
Barbi
Caitie
Fotograf
Gallery photos
Hey, dude, it's me ^_^ :P
Hey, ya! =))
Hi! :-)
Hokki =)
Jammie
Juli
Julie
Katrina
Katrina
Kelley
Lisa
Mandy
Mary
Mary-Anne
My Name is Frenk
My beautiful person
My photoalbum
My photos
Myphotos
Photoalbum
Rena
Sara
Tammy
Wau... beautiful (-:
Weah, hello! :-)
Weeeeee! ;)))
^_^ meay-meay!
^_^ meay-meay!
^_^ mew-mew (-:
beautiful
caroline
ello! =))
groom
kate
kleopatra
rebecca
stacy

The body of the message sent by the worm is randomly picked from the following list:

Argh, i don't like the plaintext :)

Fell free to chat with me I accept all ages. Don''''t worry I don''''t bite........hope to hear from you soon!

If you are going to make me cry, at least be there to wipe away the tears *Right now the worst thing for you to tell me that I can find someone better than you, especially when you are all I want

You don't know what you've got till it's gone *You hurt me more than I deserve, how can you be so cruel? I love you more than you deserve, how can I be such a fool?

I sit with elders of a gentle race, whose world is seldom seen.Who sit and talk of days for which they wait, when all will be revealed. These are song lyrics.

I'm a social butterfly and a natural flirt. Very hard to get my complete attention. Very open and will answer almost anything. But please don't piss me off. I can be sweet and cuddly or a whatever mood I am in that day so everyday

Love the outdoors, literature, writing, and athletics

When The Trust is Gone So Is The Love That Fades Like the Rain Washing Away All The Sorrows Of Yesterday Why I Ask Myself Must It End Like This Tomorrow, I Tell Myself, I'll Be Okay For Now, I'll Just Live In The Memories Of Our Life Together

I enjoy clean conversations but am open to conversing with women and men with little ones as well. I am very open-minded. All authorization requests will be denied if I don't receive messages and get to know you first.

I love camping, dirt track racing, going for walks, and I have 2 cats - HotRod and Deebo (named from the movie 'Friday' and he lives up to it!). Life is ever changing, never always easy...

i love to chat to just about anyone!!

If I'm online, it problably means I'm pretty bored....so feel free to message me and say hi or whatever else comes to mind at the moment.

Hey people whats goin on? If there is anything you want to know about me ask me... I am pretty easygoing I won't bite....not at first anywayz hahaa.....one thing I will say on here tho I am not into the Cyber thing so don't even ask.....Ciao...

Hi! My name is Shreya and I am a goof off!!! So, If you love the outdoors, travelling, books, music, movies, laffing, teasing and/or can poke fun at yourself... please come a hollerin'!!

I love to dance, read poetry, make people laugh, and hug as many people a day as i can.

Single Mom of 3, Full time college student, Graduate in December with an Associates of Applied Science in Computer Information Systems Love the internet.

My hobbies include crochet, sewing, painting lead figures and playing AD&D. Favorite activities include fishing and camping. I love cats, unicorns(go figure), and fantasy in general.

I like to be in a company of smart, delicate, and with a good sense of humor people. I am Bulgarian, currently getting my Master's in International Business in USA. Favorite actor: Michael Dudikoff

i'm tall and skiny I'm studying in Pharm. D program in FL. i like music, movie, dancing, sports, SCUBA diving, traveling and make a lot friends.

Nice friends, nice men, nice sex and feeling great. I don't mind the odd bout of cybersex as I love to use my imagination when I masterbate.

Hey, guys! by the way, I have no problems with my sexual life, so it's absolutly useless try to have icq sex or things like that. Thanks

I'm an open minded person and enjoy chatting w/ other people. I'm free and willing to chat about anything. So feel free to Imed me if you wanna chat.

I love meeting new people and making new friends. I am a Mary Kay Beauty Consultant. I am married to a wonderful man. We have no children, exept for a minature schnauzer that thinks he is a child. Looking forward to meeting you.

I am from Taiwan but I study in Camden, New Jersey now. I like to know people from different places .

I'm married and I stay at home. And I don't do cyber sex so leave me the fuck alone

Looking forward for a response :P

The name of the attachment is combined from the following names:

Aline
Anna
Audra
Bad girl
Barbi
Caitie
Gallery
It_I
Jammie
Juli
Julie
Katrina
Katrina
Kelley
Lisa
Mandy
Mary
Mary-Anne
Photoalbum
Photomontage
Picture
Rena
Sara
Tammy
caroline
kate
kleopatra
myfotos
rebecca
stacy

and extensions .exe, .scr, or .zip. If the attachment is a .ZIP file, it may be password-protected. The password is then included in the body of the message.

Upon execution, the worm will drop these three files to the %sysdir% folder:

i1ru54n4.exe
go54o.exe
ii5nj4.exe

Then it adds the following entry into the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"rate.exe" = "%sysdir\i1ru54n4.exe"

To obtain e-mail addresses for its spreading, it searches all local drives for files with the following extensions:

.adb
.asp
.cfg
.dbx
.eml
.htm
.mdx
.mmf
.nch
.ods
.php
.pl
.sht
.tbb
.txt
.wab
.xml

and digs the addresses from them. It will not send itself to addresses which contain one of the following strings:

@avp.
@hotmail.com
@microsoft
@msn.com
local
noreply
postmaster@
root@

Win32/Bagle.F also searches all local drives for folders with names that contain the string "shar". It copies itself to them under the following names:

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno Screensaver.scr
Porno pics arhive, xxx.exe
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

The worm contains a backdoor functionality. It opens a TCP port 2745, which allows remotely installing malicious programs. It connects to one of these addresses:

http://postertog.de/scr.php
http://www.gfotxt.net/scr.php
http://www.maiklibis.de/scr.php

And sends out the port number and a random ID.
It tries to terminate the following programs:

ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE

The worm deactivates itself on March 25th 2004.

The detection of Win32/Bagle.F is added since version 1.640.

Win32/Bagle.G

Win32/Bagle.G is a slight modification of Win32/Bagle.F. The list of processes, which it tries to terminate has changed:

ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOS1T.EXE
UPDATE.EXE

The rest of the functionality is identical with Win32/Bagle.F

The detection of Win32/Bagle.G is added since version 1.640.