You're in: Panda Security > IT Security for Business > security-info > about-malware > encyclopedia > overview

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Bagle.N
Threat LevelDamageDistribution

At a glance Tech details Solution

Effects

Bagle.N carries out the following actions:

It infects PE files, increasing their size by 21 KBytes.
It creates a backdoor that opens the TCP port 2556.
It ends the processes belonging to antivirus programs, firewalls and system monitoring tools, among others:
AGENTSVR.EXE, ANTI-TROJAN.EXE, ANTI-TROJAN.EXE, ANTIVIRUS.EXE, ANTS.EXE, APIMONITOR.EXE, APLICA32.EXE, APVXDWIN.EXE, ATCON.EXE, ATGUARD.EXE, ATRO55EN.EXE, ATUPDATER.EXE, ATWATCH.EXE, AUPDATE.EXE, AUTODOWN.EXE, AUTOTRACE.EXE, AUTOUPDATE.EXE, AVCONSOL.EXE, AVGSERV9.EXE, AVLTMAIN.EXE, AVPUPD.EXE, AVSYNMGR.EXE, AVWUPD32.EXE, AVXQUAR.EXE, BD_PROFESSIONAL.EXE, BIDEF.EXE, BIDSERVER.EXE, BIPCP.EXE, BIPCPEVALSETUP.EXE, BISP.EXE, BLACKD.EXE, BLACKICE.EXE, BOOTWARN.EXE, BORG2.EXE, BS120.EXE, CDP.EXE, CFGWIZ.EXE, CFGWIZ.EXE, CFIADMIN.EXE, CFIADMIN.EXE, CFIAUDIT.EXE, CFIAUDIT.EXE, CFIAUDIT.EXE, CFINET.EXE, CFINET.EXE, CFINET32.EXE, CFINET32.EXE, CLEAN.EXE, CLEAN.EXE, CLEANER.EXE, CLEANER.EXE, CLEANER3.EXE, CLEANER3.EXE, CLEANPC.EXE, CLEANPC.EXE, CMGRDIAN.EXE, CMGRDIAN.EXE, CMON016.EXE, CMON016.EXE, CPD.EXE, CPF9X206.EXE, CPFNT206.EXE, CV.EXE, CWNB181.EXE, CWNTDWMO.EXE, DEFWATCH.EXE, DEPUTY.EXE, DPF.EXE, DPFSETUP.EXE, DRWATSON.EXE, DRWEBUPW.EXE, ENT.EXE, ESCANH95.EXE, ESCANHNT.EXE, ESCANV95.EXE, EXANTIVIRUS-CNET.EXE, FAST.EXE, FIREWALL.EXE, FLOWPROTECTOR.EXE, FP-WIN_TRIAL.EXE, FRW.EXE, FSAV.EXE, FSAV530STBYB.EXE, FSAV530WTBYB.EXE, FSAV95.EXE, GBMENU.EXE, GBPOLL.EXE, GUARD.EXE, GUARDDOG.EXE, HACKTRACERSETUP.EXE, HTLOG.EXE, HWPE.EXE, IAMAPP.EXE, IAMAPP.EXE, IAMSERV.EXE, ICLOAD95.EXE, ICLOADNT.EXE, ICMON.EXE, ICSSUPPNT.EXE, ICSUPP95.EXE, ICSUPP95.EXE, ICSUPPNT.EXE, IFW2000.EXE, IPARMOR.EXE, IRIS.EXE, JAMMER.EXE, KAVLITE40ENG.EXE, KAVPERS40ENG.EXE, KERIO-PF-213-EN-WIN.EXE, KERIO-WRL-421-EN-WIN.EXE, KERIO-WRP-421-EN-WIN.EXE, KILLPROCESSSETUP161.EXE, LDPRO.EXE, LOCALNET.EXE, LOCKDOWN.EXE, LOCKDOWN2000.EXE, LSETUP.EXE, LUALL.EXE, LUCOMSERVER.EXE, LUINIT.EXE, MCAGENT.EXE, MCUPDATE.EXE, MCUPDATE.EXE, MFW2EN.EXE, MFWENG3.02D30.EXE, MGUI.EXE, MINILOG.EXE, MOOLIVE.EXE, MRFLUX.EXE, MSCONFIG.EXE, MSINFO32.EXE, MSSMMC32.EXE, MU0311AD.EXE, NAV80TRY.EXE, NAVAPW32.EXE, NAVDX.EXE, NAVSTUB.EXE, NAVW32.EXE, NC2000.EXE, NCINST4.EXE, NDD32.EXE, NEOMONITOR.EXE, NETARMOR.EXE, NETINFO.EXE, NETMON.EXE, NETSCANPRO.EXE, NETSPYHUNTER-1.2.EXE, NETSTAT.EXE, NISSERV.EXE, NISUM.EXE, NMAIN.EXE, NORTON_INTERNET_SECU_3.0_407.EXE, NPF40_TW_98_NT_ME_2K.EXE, NPFMESSENGER.EXE, NPROTECT.EXE, NSCHED32.EXE, NTVDM.EXE, NUPGRADE.EXE, NVARCH16.EXE, NWINST4.EXE, NWTOOL16.EXE, OSTRONET.EXE, OUTPOST.EXE, OUTPOSTINSTALL.EXE, OUTPOSTPROINSTALL.EXE, PADMIN.EXE, PANIXK.EXE, PAVPROXY.EXE, PCC2002S902.EXE, PCC2K_76_1436.EXE, PCCIOMON.EXE, PCDSETUP.EXE, PCFWALLICON.EXE, PCFWALLICON.EXE, PCIP10117_0.EXE, PDSETUP.EXE, PERISCOPE.EXE, PERSFW.EXE, PF2.EXE, PFWADMIN.EXE, PINGSCAN.EXE, PLATIN.EXE, POPROXY.EXE, POPSCAN.EXE, PORTDETECTIVE.EXE, PPINUPDT.EXE, PPTBC.EXE, PPVSTOP.EXE, PROCEXPLORERV1.0.EXE, PROPORT.EXE, PROTECTX.EXE, PSPF.EXE, PURGE.EXE, PVIEW95.EXE, QCONSOLE.EXE, QSERVER.EXE, RAV8WIN32ENG.EXE, REGEDIT.EXE, REGEDT32.EXE, RESCUE.EXE, RESCUE32.EXE, RRGUARD.EXE, RSHELL.EXE, RTVSCN95.EXE, RULAUNCH.EXE, SAFEWEB.EXE, SBSERV.EXE, SD.EXE, SETUP_FLOWPROTECTOR_US.EXE, SETUPVAMEEVAL.EXE, SFC.EXE, SGSSFW32.EXE, SH.EXE, SHELLSPYINSTALL.EXE, SHN.EXE, SMC.EXE, SOFI.EXE, SPF.EXE, SPHINX.EXE, SPYXX.EXE, SS3EDIT.EXE, ST2.EXE, SUPFTRL.EXE, SUPPORTER5.EXE, SYMPROXYSVC.EXE, SYSEDIT.EXE, TASKMON.EXE, TAUMON.EXE, TAUSCAN.EXE, TC.EXE, TCA.EXE, TCM.EXE, TDS2-98.EXE, TDS2-NT.EXE, TDS-3.EXE, TFAK5.EXE, TGBOB.EXE, TITANIN.EXE, TITANINXP.EXE, TRACERT.EXE, TRJSCAN.EXE, TRJSETUP.EXE, TROJANTRAP3.EXE, UNDOBOOT.EXE, UPDATE.EXE, VBCMSERV.EXE, VBCONS.EXE, VBUST.EXE, VBWIN9X.EXE, VBWINNTW.EXE, VCSETUP.EXE, VFSETUP.EXE, VIRUSMDPERSONALFIREWALL.EXE, VNLAN300.EXE, VNPC3000.EXE, VPC42.EXE, VPFW30S.EXE, VPTRAY.EXE, VSCENU6.02D30.EXE, VSECOMR.EXE, VSHWIN32.EXE, VSISETUP.EXE, VSMAIN.EXE, VSMON.EXE, VSSTAT.EXE, VSWIN9XE.EXE, VSWINNTSE.EXE, VSWINPERSE.EXE, W32DSM89.EXE, W9X.EXE, WATCHDOG.EXE, WEBSCANX.EXE, WGFE95.EXE, WHOSWATCHINGME.EXE, WHOSWATCHINGME.EXE, WINRECON.EXE, WNT.EXE, WRADMIN.EXE, WRCTRL.EXE, WSBGATE.EXE, WYVERNWORKSFIREWALL.EXE, XPF202EN.EXE, ZAPRO.EXE, ZAPSETUP3001.EXE, ZATUTOR.EXE, ZAUINST.EXE, ZONALM2601.EXE and ZONEALARM.EXE.

Infection strategy

Bagle.N creates the following files in the Windows system directory:

WINUPD.EXE. This file is a copy of the worm.
WINUPD.EXEOPEN and WINUPD.EXEOPENOPEN. These files are copies of the worm, compressed in ZIP or RAR format, which will be sent via e-mail.
WINUPD.EXEOPENOPENOPEN. This is a graphics file.

Under the attacking user's command, Bagle.N updates itself and copies its new version to the Windows directory, with the file name IUPLDAXXXXX.EXE, where XXXXX are several random characters.

Bagle.N creates the following entries in the Windows Registry:

HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
winupd.exe = %sysdir%\ winupd.exe
where %sysdir% is the Windows system directory.
By creating this entry, Bagle.N ensures that it is run whenever Windows is started.
HKEY_CURRENT_USER\ winupd
Bagle.N creates this entry in order to check if it has currently infected the computer.

Bagle.N deletes the following entries in the Windows Registry, if they exist:

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
9XHtProtect
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
9XHtProtect
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
Antivirus
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
HtProtect
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
HtProtect
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
ICQ Net
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
ICQ Net
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
ICQNet
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
ICQNet
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
My AV
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
My AV
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
Special Firewall Service
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
Special Firewall Service
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
Tiny AV
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
Tiny AV
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
Zone Labs Client Ex
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
Zone Labs Client Ex
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
service
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
service

Means of transmission

Bagle.N spreads via e-mail and through peer-to-peer (P2P) file sharing programs.

1.- Transmission via e-mail.

Bagle.N follows the routine below:

It reaches the computer in an e-mail message that has the following characteristics:

Sender:
Bagle.N spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.
In addition, any of the following senders may appear:
administration@%domain%
management@%domain%
noreply@%domain%
staff@%domain%
support@%domain%
where %domain% is the mail domain of the recipient.

Subject: one of the following:
Account notify
E-mail account disabling warning.
E-mail account security warning.
Email account utilization warning.
Email report
E-mail technical support message.
E-mail technical support warning.
E-mail warning
Encrypted document
Fax Message Received
Forum notify
Hidden message
Important notify
Important notify about your e-mail account.
Incoming message
Notify about using the e-mail account.
Notify about your e-mail account utilization.
Notify from e-mail technical support.
Protected message
Re: Document
Re: Hello
Re: Hi
Re: Incoming Fax
Re: Incoming Message
Re: Msg reply
RE: Protected message
RE: Text message
Re: Thank you!
Re: Thanks :)
Re: Yahoo!
Request response
Site changes
Warning about your e-mail account.

Message: it is a compound of phrases from the following lists:
List1: Greetings
Dear user of %domain%,
Dear user of %domain% gateway e-mail server,
Dear user of e-mail server "%domain%",
Hello user of %domain% e-mail server,
Dear user of "%domain%" mailing system,
Dear user, the management of %domain% mailing system wants to let you know that
where %domain% is the mail domain of the recipient.

List 2: main message
Your e-mail account has been temporary disabled because of unauthorized access.

Our main mailing server will be temporary unavaible for next two days,
to continue receiving mail in these days you have to configure our free
auto-forwarding service.

Your e-mail account will be disabled because of improper using in next
three days, if you are still wishing to use it, please, resign your
account information.

We warn you about some attacks on your e-mail account. Your computer may
contain viruses, in order to keep your computer and e-mail account safe,
please, follow the instructions.

Our antivirus software has detected a large ammount of viruses outgoing
from your email account, you may use our free anti-virus tool to clean up
your computer software.

Some of our clients complained about the spam (negative e-mail content)
outgoing from your e-mail account. Probably, you have been infected by
a proxy-relay trojan server. In order to keep your computer safe,
follow the instructions.

List 3: information on the attachments>
Advanced details can be found in attached file.
Find the white rabbit.
Follow the wabbit.
For details see the attach.
For details see the attached file.
For further details see the attach.
For more information see the attached file.
Further details can be obtained from attached file.
Here is the file.
Message is in attach
More info in attach
Pay attention on attached file.
Please, have a look at the attached file.
Please, read the attach for further details.
Read the attach.
See attach.
See the attached file for details.
Your file is attached.

List 4: information on the password
This list only appears if the extension of the attachments is ZIP or RAR.
Password: %password%
Pass - %password%
Password - %password%
For security reasons attached file is password protected. The password is %attached inserted image%
For security purposes the attached file is password protected. Password -- %attached inserted image%
Attached file is protected with the password for security reasons. Password is %attached inserted image%
In order to read the attach you have to use the following password: %attached inserted image%
Archive password: %attached inserted image%
Password - %attached inserted image%
Password: %attached inserted image%
where %password% is the necessary password to decompress the attachments. Sometimes this password is given inside an image %attached inserted image%.

List 5: closing
The Management,
Sincerely,
Best wishes,
Have a good day,
Cheers,
Kind regards,
Finally, the following text is included:
The %domain% team http://www.%domain%
where %domain% is the mail domain of the recipient.

Attachments: the file name is variable: ATTACH, DETAILS, DETAILS, DOCUMENT, ENCRYPTED, FIRST_PART, GIFT,INFO, INFORMATION, MESSAGE, MOREINFO, PUB_DOCUMENT, README, TEXT, TEXT_DOCUMENT or TEXTDOCUMENT. And the extension: EXE, PIF, ZIP or RAR.
Sometimes the password used to decompress the attachments is attached to the message as a graphic file with extension BMP, JPG or GIF.
The computer is affected when the attached file is run.

Bagle.N searches for e-mail addresses in files with the following extensions: ADB, ASP, CFG, CGI, DBX, DHTM, EML, HTM, JSP, MBX, MDX, MHT, MMF, MSG, NCH, ODS, OFT, PHP, PL, SHT, SHTM, STM, TBB, TXT, UIN, WAB, WSH, XLS and XML.
Bagle.N sends itself out to all the addresses it has gathered, using its own engine SMTP.
However, it does not send itself to those addresses containing any of the following text strings:
@avp., @foo, @hotmail.com, @iana, @messagelab, @microsoft, @msn, abuse, admin, anyone@, bsd, bugs@, cafee, certific, contract@, feste, free-av, f-secur, gold-certs@, google, help@, icrosoft, info@, kasp, linux, listserv, local, nobody@, noone@, noreply, ntivi, panda, pgp, postmaster@, rating@, root@, samples, sopho, spam, support, unix, winrar and winzip.

2.- Transmission through P2P programs.

Bagle.N follows the routine below:

It creates copies of itself in shared directories that contain the text string SHAR under the following names:
Microsoft Office 2003 Crack, Working!.exe
Microsoft OfficeXP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack,working Keygen.exe
Porno Screensaver.scr
Porno,sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Serials.txt.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Opera 8 New!.exe
WinAmp5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Matrix 3 Revolution English Subtitles.exe
Adobe Photoshop 9 full.exe
Ahead Nero7.exe
ACDSee 9.exe
Other users of these programs can remotely access these shared directories and download these files to their computers, thinking that they are computer programs. However, these users will actually download a copy of Bagle.N.
When the downloaded file is run, these computers will become affected by Bagle.N.

Further Details

Bagle.N is written in the programming language Visual C++. This polymorphic virus is 20,650 bytes in size when it is compressed, and 38,570 bytes in size once it is decompressed.

Resources for Partners