Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Bagle.J

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Bagle.J carries out the following actions:

  • It creates a backdoor that opens the TCP port 2745.
  • It attempts to connect to several web pages that host a PHP script:
    http://postertog.de/scr.php
    http://www.gfotxt.net/scr.php
    http://www.maiklibis.de/scr.php
    By doing this, Bagle.J notifies its author that the affected computer can be accessed through the opened port.
  • It ends the processes belonging to several antivirus update applications:
    ATUPDATER.EXE
    ATUPDATER.EXE
    AUPDATE.EXE
    AUTODOWN.EXE
    AUTOTRACE.EXE
    AUTOUPDATE.EXE
    AVLTMAIN.EXE
    AVPUPD.EXE
    AVWUPD32.EXE
    AVXQUAR.EXE
    CFIAUDIT.EXE
    DRWEBUPW.EXE
    ICSSUPPNT.EXE
    ICSUPP95.EXE
    LUALL.EXE
    MCUPDATE.EXE
    NUPGRADE.EXE
    NUPGRADE.EXE
    OUTPOST.EXE
    UPDATE.EXE
  • This worm only runs if the system date is March 25, 2005 or previous. After this date, Bagle.J stops functioning.

Infection strategy 

Bagle.J creates the following files in the Windows system directory:

  • IRUN4.EXE. This file is a copy of the worm.
  • IRUN4.EXEOPEN. This file contains the worm, compressed in a ZIP format, and will be sent via e-mail.

Bagle.J creates the following entry in the Windows Registry:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    ssate.exe = %sysdir%\ irun4.exe
    where %sysdir% is the Windows system directory.
    By creating this entry, Bagle.J ensures that it is run whenever Windows is started.

Means of transmission 

Bagle.J spreads via e-mail and through peer-to-peer (P2P) file sharing programs.

1.- Transmission via e-mail.

Bagle.J follows the routine below:

  • It reaches the computer in an e-mail message that has the following characteristics:

    Sender:
    Bagle.J spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.
    It consists of one of the following text strings:
    administration@ %domain%
    management@ %domain%
    noreply@ %domain%
    staff@ %domain%
    support@ %domain%
    where %domain% is the mail domain of the recipient.

    Subject: one of the following:
    E-mail account disabling warning.
    E-mail account security warning.
    Email account utilization warning.
    Important notify about your e-mail account.
    Notify about using the e-mail account.
    Notify about your e-mail account utilization.
    Warning about your e-mail account.

    Message: it is variable, and consists in a compound of one text string from each of the following lists:
    List 1: Greetings
    Dear user of %domain%,
    Dear user of %domain% gateway e-mail server,
    Dear user of e-mail server %domain%,
    Hello user of %domain% e-mail server,
    Dear user of %domain% mailing system,
    Dear user, the management of %domain% mailing system wants to let you know that,

    List 2: main message
    Your e-mail account has been temporary disabled because of unauthorized access.

    Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service.

    Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.
    We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.

    Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.

    Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.

    List 3: information on the attachments
    Advanced details can be found in attached file.
    For details see the attach.
    For details see the attached file.
    For further details seethe attach.
    For more information see the attached file.
    Further details can be obtained from attached file.
    Pay attention on attached file.
    Please, read the attach for further details.

    List 4: information on the password
    One of the following text strings is added when the extension of the attachments is ZIP.
    For security reasons attached file is password protected. The password is %number%.
    For security purposes the attached file is password protected. Password is %number%.
    Attached file protected with the password for security reasons. Password is %number%.
    In order to read the attach you have to use the following password: %number%.
    where %number% is a random number of 5 ciphers .

    List 5: closing
    The Management,
    Sincerely,
    Best wishes,
    Have a good day,
    Cheers,
    Kind regards,
    Finally, the following text is included:
    The %domain%                                        team http://www.%domain%
    where %domain% is the mail domain of the recipient.

    Attachments: the file name is variable: ATTACH, DOCUMENT, INFO, INFORMATION, MESSAGE, MOREINFO, README, TEXTDOCUMENT or TEXTFILE. And the extension: EXE, PIF or ZIP.
  • The computer is affected when the attached file is run.
  • Bagle.J searches for e-mail addresses in files with the following extensions: WAB, TXT, MSG, HTM, XML, DBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, ADB, TBB, SHT, UIN  and CGI.
  • Bagle.J sends itself out to all the addresses it has gathered, using its own engine SMTP.
  • However, it does not send itself to the addresses that have the following characteristics:

    - The mail domain is one of the following text strings: @hotmail.com, @msn.com, @microsoft and @avp.
    - The mail account constains any of the following text strings: local, noreply, postmaster@ and root@.
  • Bagle.J makes MX queries in order to obtain the IP addresses of the domains where it attempts to send itself via e-mail.

2.- Transmission through P2P programs.
Bagle.J follows the routine below:

  • It creates copies of itself in shared directories that contain the text string SHAR under the following names:
    Microsoft Office 2003 Crack, Working!.exe
    Microsoft OfficeXP working Crack, Keygen.exe
    Microsoft Windows XP, WinXP Crack,working Keygen.exe
    Porno Screensaver.scr
    Porno,sex, oral, anal cool, awesome!!.exe
    Porno pics arhive, xxx.exe
    Serials.txt.exe
    Windown Longhorn Beta Leak.exe
    Windows Sourcecode update.doc.exe
    XXX hardcore images.exe
    Opera 8 New!.exe
    WinAmp5 Pro Keygen Crack Update.exe
    WinAmp 6 New!.exe
    Matrix 3 Revolution English Subtitles.exe
    Adobe Photoshop 9 full.exe
    Ahead Nero7.exe
    ACDSee 9.exe
  • Other users of these programs can remotely access these shared directories and download these files to their computers, thinking that they are computer programs. However, these users will actually download a copy of Bagle.J.
  • When the downloaded file is run, these computers will become affected by Bagle.J.

Further Details  

Bagle.J is written in the programming language Visual C. This worm is 12,288 bytes in size.

When it is run, it checks its command line parameters, which allow it to update or delete itself.

Bagle.J contains the following text in its code, though it is not shown at any moment:

Hey, NetSky, fuck off you bitch, don't ruine our bussiness, wanna start a war?

>