Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Encyclopedia
GetVirusCard
True
0
Effects
Bagle.E carries out the following actions:
It attempts to connect to several web pages that host a
PHP script:
http://permail.uni-muenster.de/scr.phphttp://www.songtext.net/de/scr.phphttp://www.sportscheck.de/scr.phpBy doing this,
Bagle.E notifies its author that the affected computer can be accessed through the opened port.
It ends the processes belonging to several antivirus update applications:
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
This worm only runs if the system date is March 14, 2004 or previous. After this date, Bagle.E stops functioning.
It opens Notepad the first time it is run.
Infection strategy
Bagle.E creates the following files in the Windows system directory:
Bagle.E creates the following entries in the Windows Registry:
- HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
rate.exe = %sysdir%\ i1ru74n4.exe
where %sysdir% is the Windows system directory.
By creating this entry, Bagle.E ensures that it is run whenever Windows is started. - HKEY_CURRENT_USER\ SOFTWARE\ DateTime4
uid = %random%
where %random% is a random value. - HKEY_CURRENT_USER\ SOFTWARE\ DateTime4
port = 2745 - HKEY_CURRENT_USER\ Software\ DateTime4
frn = 1
This entry indicates that Bagle.E has already been run for the first time.
Means of transmission
Bagle.E spreads via e-mail. It follows the routine below:
It reaches the computer in an e-mail message that has the following characteristics:
Sender:
Bagle.E spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click
here.
Subject: one of the following:
Accounts department
Ahtung!
Camila
confirmation
Daily activity report
Ello!
Flayers among us
Freedom for everyone
From Hair-cutter
From me
Greet the day
Hardware devices
Hello my friend
Hi!
Jenny
Jessica
Looking for the report
Maria
Melissa
Monthly incomings summary
New Price-list
Price
Price list
Pricelist
price-list
Price-list
Proclivity to servitude
Registration
The account
The employee
The summary
USA government abolishes the capital punishment
Weekly activity report
Well...
You are dismissed
You really love me? he heMessage: one of the following:
CyaEmptyEverything inside the attachLook it throughRequestAttachments:
The file name is variable and consists of several random characters, but always has a
ZIP extension. It has an icon similar to the one belonging to Windows
Notepad.
When the attached file is run, the computer is affected.
Bagle.E searches for e-mail addresses in files that have the following extensions: ADB, ASP, CFG, DBX, EML, HTM, HTML, MDX, MMF, NCH, ODS, PHP, PL, SHT, TXT and WAB.
It sends itself out to all the addresses it has gathered using its own
SMTP engine, excepting those which belong to the mail domains
@hotmail.com, @msn.com, @microsoft and
@avp, or contain one of the following
text strings:
local,
noreply,
postmaster@,
root@.
Bagle.E makes MX queries in order to obtain the
IP addresses of the domains where it attempts to send itself via e-mail.
Further Details
Bagle.E is written in the programming language Visual C. This worm is 16,896 bytes in size.
Bagle.E attempts to locate the window called Shell_TrayWnd and the mutex imain_mutex.
When it is run, it checks its command line parameters, which allow it to update or delete itself.
>