Bagle.Q
Threat LevelDamageDistribution

Effects 

Bagle.Q carries out the following actions:

• It infects PE files, increasing their size by 26 KBytes.
• It attempts to connect to several IP addresses, in order to download and run a file on the affected computer.
  To view a complete list of the IP addresses it connects to, click here.
• It ends processes belonging to antivirus programs, firewalls and system monitoring tools, among others:
  AGENTSVR.EXE, ANTI-TROJAN.EXE, ANTI-TROJAN.EXE, ANTIVIRUS.EXE, ANTS.EXE, APIMONITOR.EXE, APLICA32.EXE, APVXDWIN.EXE, ATCON.EXE, ATGUARD.EXE, ATRO55EN.EXE, ATUPDATER.EXE, ATWATCH.EXE, AUPDATE.EXE, AUTODOWN.EXE, AUTOTRACE.EXE, AUTOUPDATE.EXE, AVCONSOL.EXE, AVGSERV9.EXE, AVLTMAIN.EXE, AVPUPD.EXE, AVSYNMGR.EXE, AVWUPD32.EXE, AVXQUAR.EXE, BD_PROFESSIONAL.EXE, BIDEF.EXE, BIDSERVER.EXE, BIPCP.EXE, BIPCPEVALSETUP.EXE, BISP.EXE, BLACKD.EXE, BLACKICE.EXE, BOOTWARN.EXE, BORG2.EXE, BS120.EXE, CDP.EXE, CFGWIZ.EXE, CFGWIZ.EXE, CFIADMIN.EXE, CFIADMIN.EXE, CFIAUDIT.EXE, CFIAUDIT.EXE, CFIAUDIT.EXE, CFINET.EXE, CFINET.EXE, CFINET32.EXE, CFINET32.EXE, CLEAN.EXE, CLEAN.EXE, CLEANER.EXE, CLEANER.EXE, CLEANER3.EXE, CLEANER3.EXE, CLEANPC.EXE, CLEANPC.EXE, CMGRDIAN.EXE, CMGRDIAN.EXE, CMON016.EXE, CMON016.EXE, CPD.EXE, CPF9X206.EXE, CPFNT206.EXE, CV.EXE, CWNB181.EXE, CWNTDWMO.EXE, DEFWATCH.EXE, DEPUTY.EXE, DPF.EXE, DPFSETUP.EXE, DRWATSON.EXE, DRWEBUPW.EXE, ENT.EXE, ESCANH95.EXE, ESCANHNT.EXE, ESCANV95.EXE, EXANTIVIRUS-CNET.EXE, FAST.EXE, FIREWALL.EXE, FLOWPROTECTOR.EXE, FP-WIN_TRIAL.EXE, FRW.EXE, FSAV.EXE, FSAV530STBYB.EXE, FSAV530WTBYB.EXE, FSAV95.EXE, GBMENU.EXE, GBPOLL.EXE, GUARD.EXE, GUARDDOG.EXE, HACKTRACERSETUP.EXE, HTLOG.EXE, HWPE.EXE, IAMAPP.EXE, IAMAPP.EXE, IAMSERV.EXE, ICLOAD95.EXE, ICLOADNT.EXE, ICMON.EXE, ICSSUPPNT.EXE, ICSUPP95.EXE, ICSUPP95.EXE, ICSUPPNT.EXE, IFW2000.EXE, IPARMOR.EXE, IRIS.EXE, JAMMER.EXE, KAVLITE40ENG.EXE, KAVPERS40ENG.EXE, KERIO-PF-213-EN-WIN.EXE, KERIO-WRL-421-EN-WIN.EXE, KERIO-WRP-421-EN-WIN.EXE, KILLPROCESSSETUP161.EXE, LDPRO.EXE, LOCALNET.EXE, LOCKDOWN.EXE, LOCKDOWN2000.EXE, LSETUP.EXE, LUALL.EXE, LUCOMSERVER.EXE, LUINIT.EXE, MCAGENT.EXE, MCUPDATE.EXE, MCUPDATE.EXE, MFW2EN.EXE, MFWENG3.02D30.EXE, MGUI.EXE, MINILOG.EXE, MOOLIVE.EXE, MRFLUX.EXE, MSCONFIG.EXE, MSINFO32.EXE, MSSMMC32.EXE, MU0311AD.EXE, NAV80TRY.EXE, NAVAPW32.EXE, NAVDX.EXE, NAVSTUB.EXE, NAVW32.EXE, NC2000.EXE, NCINST4.EXE, NDD32.EXE, NEOMONITOR.EXE, NETARMOR.EXE, NETINFO.EXE, NETMON.EXE, NETSCANPRO.EXE, NETSPYHUNTER-1.2.EXE, NETSTAT.EXE, NISSERV.EXE, NISUM.EXE, NMAIN.EXE, NORTON_INTERNET_SECU_3.0_407.EXE, NPF40_TW_98_NT_ME_2K.EXE, NPFMESSENGER.EXE, NPROTECT.EXE, NSCHED32.EXE, NTVDM.EXE, NUPGRADE.EXE, NVARCH16.EXE, NWINST4.EXE, NWTOOL16.EXE, OSTRONET.EXE, OUTPOST.EXE, OUTPOSTINSTALL.EXE, OUTPOSTPROINSTALL.EXE, PADMIN.EXE, PANIXK.EXE, PAVPROXY.EXE, PCC2002S902.EXE, PCC2K_76_1436.EXE, PCCIOMON.EXE, PCDSETUP.EXE, PCFWALLICON.EXE, PCFWALLICON.EXE, PCIP10117_0.EXE, PDSETUP.EXE, PERISCOPE.EXE, PERSFW.EXE, PF2.EXE, PFWADMIN.EXE, PINGSCAN.EXE, PLATIN.EXE, POPROXY.EXE, POPSCAN.EXE, PORTDETECTIVE.EXE, PPINUPDT.EXE, PPTBC.EXE, PPVSTOP.EXE, PROCEXPLORERV1.0.EXE, PROPORT.EXE, PROTECTX.EXE, PSPF.EXE, PURGE.EXE, PVIEW95.EXE, QCONSOLE.EXE, QSERVER.EXE, RAV8WIN32ENG.EXE, REGEDIT.EXE, REGEDT32.EXE, RESCUE.EXE, RESCUE32.EXE, RRGUARD.EXE, RSHELL.EXE, RTVSCN95.EXE, RULAUNCH.EXE, SAFEWEB.EXE, SBSERV.EXE, SD.EXE, SETUP_FLOWPROTECTOR_US.EXE, SET

  Infection strategy 

  Bagle.Q creates the files DIRECTS.EXE and DIRECTS.EXEOPEN in the Windows system directory. These files are a copy of the worm.

  Bagle.Q creates the following entry in the Windows Registry:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    directs.exe = %sysdir%\ directs.exe
    where %sysdir% is the Windows system directory.
    By creating this entry, Bagle.Q ensures that it is run whenever Windows is started.

  Means of transmission 

  Bagle.Q spreads via e-mail and through peer-to-peer (P2P) file sharing programs.

  1.- Transmission via e-mail.

  Bagle.Q follows the routine below:

  • It reaches the computer in an e-mail message that has the following characteristics:
    
    Sender:
    Bagle.Q spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.
    
    Subject: one of the following:
    Account notify
    E-mail account disabling warning.
    E-mail account security warning.
    Email account utilization warning.
    Email report
    E-mail technical support message.
    E-mail technical support warning.
    E-mail warning
    Encrypted document
    Fax Message Received
    Forum notify
    Hidden message
    Important notify
    Important notify about your e-mail account.
    Incoming message
    Notify about using the e-mail account.
    Notify about your e-mail account utilization.
    Notify from e-mail technical support.
    Protected message
    Re: Document
    Re: Hello
    Re: Hi
    Re: Incoming Fax
    Re: Incoming Message
    Re: Msg reply
    RE: Protected message
    RE: Text message
    Re: Thank you!
    Re: Thanks :)
    Re: Yahoo!
    Request response
    Site changes
    Warning about your e-mail account.
    
    Message:
    The message sent by Bagle.Q includes an HTML code. This code exploits a vulnerability in Internet Explorer, which allows to run any arbitrary program on the affected computer. Click here to access Microsoft's website and learn more about this vulnerability.
    
    Attachments: it does not contain any attachments
  • When the message is viewed, Bagle.Q downloads a file to the computer.
  • Bagle.Q searches for e-mail addresses in files that have the following extensions: ADB, ASP, CFG, CGI, DBX, DHTM, EML, HTM, JSP, MBX, MDX, MHT, MMF, MSG, NCH, ODS, OFT, PHP, PL, SHT, SHTM, STM, TBB, TXT, UIN, WAB, WSH, XLS and XML.
  • It sends itself out to all the addresses it has gathered using its own SMTP engine.
  • Bagle.Q makes MX queries in order to obtain the IP addresses of the domains where it attempts to send itself via e-mail.

  2.- Transmission through P2P file sharing programs.

  Bagle.Q follows the routine below:

  • It creates copies of itself in directories with a name that contains the text string shar. It uses the following file names:
    ACDSee 9.exe
    Adobe Photoshop 9 Full.exe
    Ahead Nero7.exe
    Matrix 3 Revolution English Subtitles.exe
    Microsoft Office 2003 Crack, Working!.exe
    Microsoft OfficeXP working Crack, Keygen.exe
    Microsoft Windows XP, WinXP Crack,working Keygen.exe
    Opera 8 New!.exe
    Porno pics arhive, xxx.exe
    Porno Screensaver.scr
    Porno,sex, oral, analcool, awesome!!.exe
    Serials.txt.exe
    WinAmp 6 New!.exe
    WinAmp5 Pro Keygen Crack Update.exe
    Windown Longhorn Beta Leak.exe
    Windows Sourcecode update.doc.exe
    XXX hardcore images.exe
  • Other users of these programs can remotely access these shared directories and download these files to their computers, thinking that they are computer programs. However, these users will actually download a copy of Bagle.Q.
  • When the downloaded file is run, these computers will become affected by Bagle.Q.

  Further Details  

  Bagle.Q is written in the programming language Visual C++. This virus is 25,600 bytes in size and it is compressed with UPX.

  Contact us

  

  • Find reseller
  • Your nearest Panda Security office
  • Buy or renew on-line

  Resources for Partners

  

  • Partner Program
  • Become a Partner
  • Panda Cloud Partner Center

  Featured products

  

  
  
  

  Cloud Email Protection
  Cloud-based Email protection

  
  

  Cloud Internet Protection
  Cloud-based endpoint protection

  
  
  

  Panda Technologies

  

  • Collective Intelligence
  • Evolution of our technologies
  • Why our technologies?
  • Security Info
  • Blog PandaLabs
  • Latest news

  Follow us on