Home / malware Win32.Bagle.GM@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Bagle.GM@mm.
Explanation :
The worm makes itself two copies:
%APPDATA%hidnhldrrr.exe%APPDATA%hidnhidn2.exeIn older versions, Bagle used the same name, but it used a rootkit to hide the "hidn" folder, the two files and associated processes and registry entries. It is not the case in this version.
It creates the following registry entry to ensure it will be run at startup:
HKCUSoftwareMicrosoftWindowsCurrentVersionRundrv_st_key = "%APPDATA%hidnhidn2.exe"The worm will try to download some lists with email addresses, from the following web sites:
http://accesible.cl/1/[REMOVED].phphttp://amdlady.com/1/[REMOVED].phphttp://avataresgratis.com/1/[REMOVED].phphttp://beyoglu.com.tr/1/[REMOVED].phphttp://brandshock.com/1/[REMOVED].phphttp://c-d-c.com.au/1/[REMOVED].phphttp://camaramafra.sc.gov.br/1/[REMOVED].phphttp://camposequipamentos.com.br/1/[REMOVED].phphttp://cbradio.sos.pl/1/[REMOVED].phphttp://coparefrescos.stantonstreetgroup.com/1/[REMOVED].phphttp://creainspire.com/1/[REMOVED].phphttp://desenjoi.com.br/1/[REMOVED].phphttp://hotelesalba.com/1/[REMOVED].phphttp://inca.dnetsolution.net/1/[REMOVED].phphttp://veranmaisala.com/1/[REMOVED].phphttp://wklight.nazwa.pl/1/[REMOVED].phphttp://www.auraura.com/1/[REMOVED].phphttp://www.buydigital.co.kr/1/[REMOVED].phphttp://www.diem.cl/1/[REMOVED].phphttp://www.discotecapuzzle.com/1/[REMOVED].phphttp://www.inprofile.gr/1/[REMOVED].phphttp://www.klanpl.com/1/[REMOVED].phphttp://www.titanmotors.com/images/1/[REMOVED].phphttp://yongsan24.co.kr/1/[REMOVED].phpIt will collect them in a file named "elist.xpt", found in %WINDOWS% directory.
To this list will be added all email addresses found on the system. The worm search for them in all files having the following extensions:
.wab.txt.msg.htm.shtm.stm.xml.dbx.mbx.mdx.eml.nch.mmf.ods.cfg.asp.php.pl.wsh.adb.tbb.sht.xls.oft.uin.cgi.mht.dhtm.jsp
It will not gather emails matching the following patterns:
@..@..rating@f-securnewsupdateanyone@bugs@contract@festegold-certs@help@info@nobody@noone@kaspadminicrosoftsupportntiviunixbsdlinuxlistservcertificsopho@foo@ianafree-av@messagelabwinzipgooglewinrarsamplesabusepandacafeespampgp@avp.noreplylocalroot@postmaster@
The worm uses the SMTP servers defined in Outlook. If there are no such servers configured on the system, it uses some predefined SMTP servers.
An email sent by this version of Bagle will look like this:
Subject
A combination of one of the following and the current date:
"pric "
"price_ "
"price_""price-""price "For example: "price_29-Dec-2006"
From
Searches for Outlook profiles in HKCUSoftwareMicrosoftInternet Account ManagerAccounts
Body
One of the following:
Message in attach.Message is zipped.Msg attached.Attachment
A combination of one of the following, and the current date, with ".zip" at the end:
pricenew_pricelatest_priceFor example: "new_price29-Dec-2006.zip"
It will also download a file from one of these addresses, and will rename it to "re_file.exe":
http://5050clothing.com/[REMOVED].gifhttp://axelero.hu/[REMOVED].gifhttp://calamarco.com/[REMOVED].gifhttp://ceramax.co.kr/[REMOVED].gifhttp://charlesspaans.com/[REMOVED].gifhttp://chatsk.wz.cz/[REMOVED].gifhttp://checkalertusa.com/[REMOVED].gifhttp://cibernegocios.com.ar/[REMOVED].gifhttp://cof666.shockonline.net/[REMOVED].gifhttp://comaxtechnologies.net/[REMOVED].gifhttp://concellodesandias.com/[REMOVED].gifhttp://dev.jintek.com/[REMOVED].gifhttp://dogoodesign.ch/[REMOVED].gifhttp://donchef.com/[REMOVED].gifhttp://erich-kaestner-schule-donaueschingen.de/[REMOVED].gifhttp://foxvcoin.com/[REMOVED].gifhttp://grupdogus.de/[REMOVED].gifhttp://hotchillishop.de/[REMOVED].gifhttp://ilikesimple.com/[REMOVED].gifhttp://innovation.ojom.net/[REMOVED].gifhttp://kisalfold.com/[REMOVED].gifhttp://knickimbit.de/[REMOVED].gifhttp://kremz.ru/[REMOVED].gifhttp://massgroup.de/[REMOVED].gifhttp://poliklinika-vajnorska.sk/[REMOVED].gifhttp://prime.gushi.org/[REMOVED].gifhttp://svatba.viskot.cz/[REMOVED].gifhttp://systemforex.de/[REMOVED].gifhttp://uwua132.org/[REMOVED].gifhttp://v-v-kopretiny.ic.cz/[REMOVED].gifhttp://vanvakfi.com/[REMOVED].gifhttp://vega-sps.com/[REMOVED].gifhttp://vidus.ru/[REMOVED].gifhttp://viralstrategies.com/[REMOVED].gifhttp://Vivamodelhobby.com/[REMOVED].gifhttp://vkinfotech.com/[REMOVED].gifhttp://vproinc.com/[REMOVED].gifhttp://vytukas.com/[REMOVED].gifhttp://waisenhaus-kenya.ch/[REMOVED].gifhttp://watsrisuphan.org/[REMOVED].gifhttp://wbecanada.com/[REMOVED].gifhttp://web-comp.hu/[REMOVED].gifhttp://webfull.com/[REMOVED].gifhttp://welvo.com/[REMOVED].gifhttp://wvpilots.org/[REMOVED].gifhttp://www.ag.ohio-state.edu/[REMOVED].gifhttp://www.chapisteriadaniel.com/[REMOVED].gifhttp://www.chittychat.com/[REMOVED].gifhttp://www.cort.ru/[REMOVED].gifhttp://www.crfj.com/[REMOVED].gifhttp://www.kersten.de/[REMOVED].gifhttp://www.kljbwadersloh.de/[REMOVED].gifhttp://www.voov.de/[REMOVED].gifhttp://www.walsch.de/[REMOVED].gifhttp://www.wchat.cz/[REMOVED].gifhttp://www.wg-aufbau-bautzen.de/[REMOVED].gifhttp://www.wzhuate.com/[REMOVED].gifhttp://xotravel.ru/[REMOVED].gifhttp://yeniguntugla.com/[REMOVED].gifhttp://zebrachina.net/[REMOVED].gifhttp://zsnabreznaknm.sk/[REMOVED].gif
"re_file.exe" will then be executed.
Other payloads:
it disables Windows Update Service (wuauserv)
it deletes "HKLMSYSTEMCurrentControlSetControlSafeBoot"Last update 21 November 2011
