Home / malware Win32.Bagle.{C-E}@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Bagle.{C-E}@mm is also known as Win32.Beagle.
Explanation :
The mass-mailer is 15944 bytes in length, comes as attachement in zip form
with "store" method.
It arrives in an email in the following format:
From: [forged email address]
Subject: [one of the following]
Price
New Price-list
Hardware devices price-list
Weekly activity report
Daily activity report
Maria
Jenny
Jessica
Registration confirmation
USA government abolishes the capital punishment
Freedom for everyone
Flayers among us
From Hair-cutter
Melissa
Camila
Price-list
Pricelist
Price list
Hello my friend
Well...
Greet the day
The account
Looking for the report
You really love me? he he
You are dismissed
Accounts department
From me
Monthly incomings summary
The summary
Proclivity to servitude
Ahtung!
The employee
Body: [empty]
Attachment: [random bytes].exe within a zip file.
Upon execution, it drops four files into "C:WindowsSystem"
directory, with the following purposes:
- readme.exe is the virus unzipped. A key will be inserted in the
registry so that the file will be executed at every operating system
restart.
- doc.exe, a file which has the purpose of executing onde.exe.
Injected in the explorer.exe address space.
- onde.exe is the main component of the virus. Handles all the
mass-mailing.
- readme.exeopen is the zipped version of the virus, the file in the
archive created already with a random name and ready to be mass-mailed
as attachement.
When first ran, it will start notepad.exe. Then, it checks the date
and if the date is after 14 March 2004 the worm will exit.
The worm will create the registry keys described in the "Symptoms"
sections, and starts a backdoor that will listen for commands on the
port 2745.
The worm will create a mutex named "imain_mutex" and create a series
of threads, performing various functions:
- every 100 milliseconds kill all proces with the name:
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
- every 2000 milliseconds check if connected to internet.
- every 3 hours and ten minutes, the worm will connect to the
following addresses under the name "i_am_ideal":
http://permail.uni-muenster.de
http://www.songtext.net/de
http://www.sportscheck.de
The worm will search the host computer for the filenames with the
following extensions, extracting email addresses from them:
.wab
.txt
.htm
.html
.dbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.adb
.sht
The worm will not send itself to addresses containing the following
strings:
@hotmail.com
@msn.com
@microsoft
@avp.
noreply
local
root@
postmaster@
Update: it seems there is a new strain of Bagle in the wild. The virus is detected by Bitdefender as Win32.Bagle.D@mm and is similar to the Bagle.C@mm variant. There are only minor differences:
- the mutex is now called "iain_m2".
- the user used to connect to the sites mentioned is now "al".
- the key "DateTime2" is now called "DateTime3". The location is unchanged.
Update #2: we received yet another strain of Bagle. BitDefender now detects it as Win32.Bagle.E@mm. Seems like there are more differences as opposed to Bagle.C@mm:
- the messages that the virus sends have now attachements, one of the following:
Subj
Request
Empty
Response
Everything inside the attach
Look it through
- Name of the files dropped have changed:
doc.exe is now called ii455nj4.exe
readme.exe is now called i1ru74n4.exe
readme.exeopen is now called i1ru74n4.exeopen
ondo.exe is now called godo.exe.
Note that the size of the file "i1ru74n4.exe" now varies, the virus adds random bytes as overlay to the file.
- mutex name is the same as that of the C@mm variant: "imain_mutex"
- the user used to connect to the same pages is now named "oclivity".
- registry keys have changed:
HKCUSoftwareDateTime4, with the only subkey "frun = 1".
HKCUSoftwareMicrosoftWindowsCurrentVersionRun, with the subkey "rate.exe = C:WindowsSystemi1ru74n4.exe"
- the date at which the virus will de-activate has now changed from 14 March 2004 to 25 March 2004.
- the attachement inside the ZIP archive changed packer, from UPX to PEX.Last update 21 November 2011
