Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Bagle.AA

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Bagle.AA carries out the following actions:

  • It attempts to connect to several websites that host an PHP script through the port 2535. By doing so, Bagle.AA notifies its author that the computer has been affected:

    http://250x.com/5.php
    http://2udar.ligakvn.de/5.php
    http://3treepoint.com/5.php
    http://abakan.strana.de/5.php
    http://andimeisslein.de/5.php
    http://ditec.um.es/5.php
    http://fotos.schneider.bards.de/5.php
    http://hardvision.ru/5.php
    http://jakimov.golos.de/5.php
    http://markusgimenez.de/5.php
    http://s318.evanzo-server.de/5.php
    http://Spaceclub.de/5.php
    http://tobimayer.de/5.php
    http://vg.xtonne.de/5.php
    http://vg.xtonne.de/5.php
    http://villakinderbunt.de/5.php
    http://virtualzone.de/5.php
    http://www.ac-schnitzer.de/5.php
    http://www.auma.de/5.php
    http://www.autoscout24.de/5.php
    http://www.avh.de/5.php
    http://www.beckers-systems.de/5.php
    http://www.berlinale.de/5.php
    http://www.blauer-engel.de/5.php
    http://www.bmbf.de/5.php
    http://www.bruecke-osteuropa.de/5.php
    http://www.bundesregierung.de/5.php
    http://www.chugai.de/5.php
    http://www.cicv.fr/5.php
    http://www.dalnoboyshik.de/5.php
    http://www.de-bug.de/5.php
    http://www.degruyter.de/5.php
    http://www.deutsch-als-fremdsprache.de/5.php
    http://www.deutsches-museum.de/5.php
    http://www.deutschland.de/5.php
    http://www.dfg.de/5.php
    http://www.documenta.de/5.php
    http://www.dwd.de/5.php
    http://www.embl-heidelberg.de/5.php
    http://www.emis.de/5.php
    http://www.eumetsat.de/5.php
    http://www.exactaudiocopy.de/5.php
    http://www.fernuni-hagen.de/5.php
    http://www.fiz-karlsruhe.de/5.php
    http://www.fracht-24.de/5.php
    http://www.fu-berlin.de/5.php
    http://www.gdch.de/5.php
    http://www.go-amman.de/5.php
    http://www.goethe.de/5.php
    http://www.gospel-nations.de/5.php
    http://www.gsi.de/5.php
    http://www.hamann-motorsport.de/5.php
    http://www.hamburg.de/5.php
    http://www.heise.de/5.php
    http://www.hotel-pension-spree.de/5.php
    http://www.ifdesign.de/5.php
    http://www.insel-ruegen-hotel.de/5.php
    http://www.intermatgmbh.de/5.php
    http://www.jura.uni-sb.de/5.php
    http://www.kliniken.de/5.php
    http://www.leipziger-messe.de/5.php
    http://www.loveparade.de/5.php
    http://www.low-spirit.de/5.php
    http://www.mdz-moskau.de/5.php
    http://www.mitsubishi-evs.de/5.php
    http://www.mitsumi.de/5.php
    http://www.mk-motorsport.de/5.php
    http://www.mobile.de/5.php
    http://www.nabu.de/5.php
    http://www.neformal.de/5.php
    http://www.neznakomez.de/5.php
    http://www.paromi.de/5.php
    http://www.partner-inform.de/5.php
    http://www.php-resource.de/5.php
    http://www.pri-wo-hamburg.de/5.php
    http://www.red-dot.de/5.php
    http://www.restarted-alliance.de/5.php
    http://www.ruletka.de/5.php
    http://www.russische-botschaft.de/5.php
    http://www.siegenia-aubi.com/5.php
    http://www.spiegel.de/5.php
    http://www.sprach-zertifikat.de/5.php
    http://www.teac.de/5.php
    http://www.tecchannel.de/5.php
    http://www.tekeli.de/5.php
    http://www.tib.uni-hannover.de/5.php
    http://www.turism.de/5.php
    http://www.uni-oldenburg.de/5.php
    http://www.uni-stuttgart.de/5.php
    http://www.welt.de/5.php
    http://www.windac.de/5.php
    http://www.winfuture.de/5.php
    http://www.www.mirko-becker.gmxhome.de/5.php
  • It ends the following processes, if they are active:

    AGENTSVR.EXE, ANTI-TROJAN.EXE, ANTIVIRUS.EXE, ANTS.EXE, APIMONITOR.EXE, APLICA32.EXE, APVXDWIN.EXE, ATCON.EXE, ATGUARD.EXE, ATRO55EN.EXE, ATUPDATER.EXE, ATWATCH.EXE, AUPDATE.EXE, AUTODOWN.EXE, AUTOTRACE.EXE, AUTOUPDATE.EXE, AVCONSOL.EXE, AVGSERV9.EXE, AVLTMAIN.EXE, AVprotect9x.exe, AVPUPD.EXE, AVSYNMGR.EXE, AVWUPD32.EXE, AVXQUAR.EXE, BD_PROFESSIONAL.EXE, BIDEF.EXE, BIDSERVER.EXE, BIPCP.EXE, BIPCPEVALSETUP.EXE, BISP.EXE, BLACKD.EXE, BLACKICE.EXE, BOOTWARN.EXE, BORG2.EXE, BS120.EXE, CDP.EXE, CFGWIZ.EXE, CFIADMIN.EXE, CFIAUDIT.EXE, CFINET.EXE, CFINET32.EXE, CLEAN.EXE, CLEANER.EXE, CLEANER3.EXE, CLEANPC.EXE, CMGRDIAN.EXE, CMON016.EXE, CPD.EXE, CPF9X206.EXE, CPFNT206.EXE, CV.EXE, CWNB181.EXE, CWNTDWMO.EXE, DEFWATCH.EXE, DEPUTY.EXE, DPF.EXE, DPFSETUP.EXE, DRWATSON.EXE, DRWEBUPW.EXE, ENT.EXE, ESCANH95.EXE, ESCANHNT.EXE, ESCANV95.EXE, EXANTIVIRUS-CNET.EXE, FAST.EXE, FIREWALL.EXE, FLOWPROTECTOR.EXE, FP-WIN_TRIAL.EXE, FRW.EXE, FSAV.EXE, FSAV530STBYB.EXE, FSAV530WTBYB.EXE, FSAV95.EXE, GBMENU.EXE, GBPOLL.EXE, GUARD.EXE, GUARDDOG.EXE, HACKTRACERSETUP.EXE, HTLOG.EXE, HWPE.EXE, IAMAPP.EXE, IAMSERV.EXE, ICLOAD95.EXE, ICLOADNT.EXE, ICMON.EXE, ICSSUPPNT.EXE, ICSUPP95.EXE, ICSUPPNT.EXE, IFW2000.EXE, IPARMOR.EXE, IRIS.EXE, JAMMER.EXE, KAVLITE40ENG.EXE, KAVPERS40ENG.EXE, KERIO-PF-213-EN-WIN.EXE, KERIO-WRL-421-EN-WIN.EXE, KERIO-WRP-421-EN-WIN.EXE, KILLPROCESSSETUP161.EXE, LDPRO.EXE, LOCALNET.EXE, LOCKDOWN.EXE, LOCKDOWN2000.EXE, LSETUP.EXE, LUALL.EXE, LUCOMSERVER.EXE, LUINIT.EXE, MCAGENT.EXE, MCUPDATE.EXE, MFW2EN.EXE, MFWENG3.02D30.EXE, MGUI.EXE, MINILOG.EXE, MOOLIVE.EXE, MRFLUX.EXE, MSCONFIG.EXE, MSINFO32.EXE, MSSMMC32.EXE, MU0311AD.EXE, NAV80TRY.EXE, NAVAPW32.EXE, NAVDX.EXE, NAVSTUB.EXE, NAVW32.EXE, NC2000.EXE, NCINST4.EXE, NDD32.EXE, NEOMONITOR.EXE, NETARMOR.EXE, NETINFO.EXE, NETMON.EXE, NETSCANPRO.EXE, NETSPYHUNTER-1.2.EXE, NETSTAT.EXE, NISSERV.EXE, NISUM.EXE, NMAIN.EXE, NORTON_INTERNET_SECU_3.0_407.EXE, NPF40_TW_98_NT_ME_2K.EXE, NPFMESSENGER.EXE, NPROTECT.EXE, NSCHED32.EXE, NTVDM.EXE, NUPGRADE.EXE, NVARCH16.EXE, NWINST4.EXE, NWTOOL16.EXE, OSTRONET.EXE, OUTPOST.EXE, OUTPOSTINSTALL.EXE, OUTPOSTPROINSTALL.EXE, PADMIN.EXE, PANIXK.EXE, PAVPROXY.EXE, PCC2002S902.EXE, PCC2K_76_1436.EXE, PCCIOMON.EXE, PCDSETUP.EXE, PCFWALLICON.EXE, PCIP10117_0.EXE, PDSETUP.EXE, PERISCOPE.EXE, PERSFW.EXE, PF2.EXE, PFWADMIN.EXE, PINGSCAN.EXE, PLATIN.EXE, POPROXY.EXE, POPSCAN.EXE, PORTDETECTIVE.EXE, PPINUPDT.EXE, PPTBC.EXE, PPVSTOP.EXE, PROCEXPLORERV1.0.EXE, PROPORT.EXE, PROTECTX.EXE, PSPF.EXE, PURGE.EXE, PVIEW95.EXE, QCONSOLE.EXE, QSERVER.EXE, RAV8WIN32ENG.EXE, REGEDIT.EXE, REGEDT32.EXE, RESCUE.EXE, RESCUE32.EXE, RRGUARD.EXE, RSHELL.EXE, RTVSCN95.EXE, RULAUNCH.EXE, SAFEWEB.EXE, SBSERV.EXE, SD.EXE, SETUP_FLOWPROTECTOR_US.EXE, SETUPVAMEEVAL.EXE, SFC.EXE, SGSSFW32.EXE, SH.EXE, SHELLSPYINSTALL.EXE, SHN.EXE, SMC.EXE, SOFI.EXE, SPF.EXE, SPHINX.EXE, SPYXX.EXE, SS3EDIT.EXE, ST2.EXE, SUPFTRL.EXE, SUPPORTER5.EXE, SYMPROXYSVC.EXE, SYSEDIT.EXE, TASKMON.EXE, TAUMON.EXE, TAUSCAN.EXE, TC.EXE, TCA.EXE, TCM.EXE, TDS2-98.EXE, TDS2-NT.EXE, TDS-3.EXE, TFAK5.EXE, TGBOB.EXE, TITANIN.EXE, TITANINXP.EXE, TRACERT.EXE, TRJSCAN.EXE, TRJSETUP.EXE, TROJANTRAP3.EXE, UNDOBOOT.EXE, UPDATE.EXE, VBCMSERV.EXE, VBCONS.EXE, VBUST.EXE, VBWIN9X.EXE, VBWINNTW.EXE, VCSETUP.EXE, VFSETUP.EXE, VIRUSMDPERSONALFIREWALL.EXE, VNLAN300.EXE, VNPC3000.EXE, VPC42.EXE, VPFW30S.EXE, VPTRAY.EXE, VSCENU6.02D30.EXE, VSECOMR.EXE, VSHWIN32.EXE, VSISETUP.EXE, VSMAIN.EXE, VSMON.EXE, VSSTAT.EXE, VSWIN9XE.EXE, VSWINNTSE.EXE, VSWINPERSE.EXE, W32DSM89.EXE, W9X.EXE, WATCHDOG.EXE, WEBSCANX.EXE, WGFE95.EXE, WHOSWATCHINGME.EXE, WINRECON.EXE, WNT.EXE, WRADMIN.EXE, WRCTRL.EXE, WSBGATE.EXE, WYVERNWORKSFIREWALL.EXE, XPF202EN.EXE, ZAPRO.EXE, ZAPSETUP3001.EXE, ZATUTOR.EXE, ZAUINST.EXE, ZONALM2601.EXE and ZONEALARM.EXE.

    These processes belong to antivirus programs and firewalls, among other security applications, as well as to several worms.
  • It displays the following fake error message on screen:

Infection strategy 

Bagle.AA creates the following files in the Windows system directory:

  • DRVSYS.EXE and DRVSYS.EXEOPEN, which are copies of the worm.
  • DRVSYS.EXEOPENOPEN. This HTML file runs a copy of the worm in the affected computer.

Bagle.AA creates the following entry in the Windows Registry:

  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    drvsys.exe = %sysdir%\ drvsys.exe
    where %sysdir% is the Windows system directory.
    By creating this entry, Bagle.AA ensures that it is run whenever Windows is started.

Means of transmission 

Bagle.AA spreads via e-mail and through peer-to-peer (P2P) file sharing programs.

1.- Transmission via e-mail.

Bagle.AA follows the routine below:

  • It reaches the computer in a message with variable characteristics. These messages can be written according to different formats:

    Format 1:

    Sender:
    Bagle.AA spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.

    Subject: one of the following:
    Encrypted document
    Fax Message Received
    Forum notify
    Hidden message
    Incoming message
    Protected message
    Re: Document
    Re: Hello
    Re: Hi
    Re: Incoming Fax
    Re: Incoming Message
    Re: Msg reply
    RE: Protected message
    RE: Text message
    Re: Thank you!
    Re: Thanks :)
    Re: Yahoo!
    Request response
    Site changes

    Message: it can be blank, or one of the following:
    Attached file tells everything.
    Attached file will tell you everything.
    For details see the attach.
    For more information see the attached file.
    Further details are in attach.
    Here is the file.
    Message is in attach
    More info is in attach
    Please, have a look at the attached file.
    Read the attach.
    See attach.
    See the attached file for details.
    Your file is attached.

    In addition, if the attached file has a ZIP extension, it will be protected with a password. The message will include any of the following texts:
    Archive password: %key%
    Attached file is protected with the password for security reasons. Password is %key%
    For security purposes the attached file is password protected. Password -- %key%
    For security reasons attached file is password protected. The password is %key%
    In order to read the attach you have to use the following password: %key%
    Note: Use password %key% to open archive.
    Password - %key%
    Password: %key%
    where %key% stands for an image file with a BMP extension. This file contains the password needed in order to decompress the attached file.
    For example, this image could be the following one:


    Attachments: it has a variable name and extension:
    Possible names: DETAILS, DOCUMENT, INFO, INFORMATION, MESSAGE, MOREINFO, README.
    Possible extensions: COM, CPL, EXE, HTA, SCR, VBS, ZIP.

    If the attached file has a ZIP extension, besides a copy of the worm with a random name, it will contain another file with a random name and one of the following extensions: BAT, DLL, DOC, TXT, VXD. This file will have random characters.


    Format 2:
    Sender:
    Bagle.AA spoofs the e-mail address from which it is sent. In order to do so, it collects e-mail addresses from the affected computer and changes the recipient's name to any of the following: ann, annie, christina, christy, jessie, lizie, secretGurl.
    Example: if the address is user@email.com, the spoofed address could be ann@email.com, annie@email.com, etc.

    Subject: one of the following:
    Hello!
    Hey!
    I just need a friend
    I like you
    I'm a sad girl...
    I'm bored with this life
    Let's socialize, my friend!
    Let's talk, my friend!
    Notify from a known person ;-)

    Message: it consists of five parts:
    (1) Greetings: one of the following:
    %recipient%,
    Dear %recipient%,
    Dear %recipient%,
    Hello     %recipient%,
    Hello,
    Hey %recipient%,
    Hey %recipient%,
    Hey,
    Hi
    Hi %recipient%,
    Hi,
    It's me ;-)
    It's me ->
    where %recipient% is the name of the recipient in the e-mail addresses. This name precedes the character @.

    (2) Image: includes a picture in a file with a JPEG format and one of the following names: IMAGE12, ME2, ME3, MYPHOTO4, MYPHOTO7, PHOTO. Some of these images are:



    (3) Message: one of the following:
    Cometime I write a poem, play the gitar. I love a traveling, I like a romantice and I want to meet, comeday, my big love!

    Don't you remember me?

    I am a beautiful, sexual girl with very big ambitions and dreams. I can make happy anyone man...

    I am a honest, kind,loving,with good sense of humor...etc.,looking for true love... or maybe for pen friend.I like cats.

    I am a student. I'm studying international relationships. I would like to find an interesting and active man for serious relations. Sitting at home it is not for me. I like to go out to the theater, cinema, and nightclubs.

    i am honest, responsible, romantic person. iwould like to find my only love,to find my destiny.

    I am kind, fair, careful, gentle also want to create family. I love animal (cats, dogs), the literature, theatre, cinema, music, walks in park .

    I am looking for a serious relationship. I am NOT interested in flirt and short-term love adventure.

    I am simple girl who are looking for serious relation with responsible and confident man. I am ready to give all my love and carering for a right person who is going to love and respect me

    I have recently got demobilize from army and also I am going to act in a higher educational institution

    I just want to talk with someone...

    I like an active life... and interesting people...

    I like reading the books and socializing, let me talk with you...

    I like to feel protected, to understand, that near to me the man, which both in sex, and in life knows what to do. It is possible to fall in love with such the man for ever.

    I Like You!

    I love productive leisure, to travel, communicate with friends.

    I love, as the good company, and I dream about romantic appointment at candles with loved. I still believe in love.

    I need a friend...

    I study at school, I like to spend time cheerfully even if not all so well, I hompe and trust, that all bad when nibud will pass and necessarily nastanet there would be a desire.

    I very much love new acquaintances, I love music, meetings with friends. I go on night clubs, except for parties I sometimes visit theatres and I love cinema. In general I only shall be glad to new acquaintance and class dialogue...

    I very much love productive leisure, to prepare for new exotic dishes, at leisure to leave with friends on the nature, to float, I like to go for a drive on mountain skiing, to visit excursions, travel. Very easy going.

    I'm a young lady of 20 years old i'd like to find my second part!!!

    I'm so bored, let me talk with you...

    It's time to find a friend!

    Kewl :-)

    Like me, odore me! ;-)

    Ready to accept a new friend? :-)

    Searching for the right person,for real man, who will really cares and love me.

    You are cool :-)

    You are my prince :-)

    (4) Reference to the attached file: one of the following:
    Attached file tells everything.
    Attached file will tell you everything.
    For details see the attach.
    For more information see the attached file.
    Further details are in attach.

    (5) Close: one of the following:
    Best wishes,%sender%
    Cheers,%sender%
    Have a good day, %sender%
    Kind regards, %sender%
    Sincerely, %sender%
    Yours, %sender%
    where %sender% is the name of the recipient, which precedes the character @ in the e-mail address.

    Attachments: it has a variable name and extension:
    Possible names: DETAILS, DOCUMENT, INFO, INFORMATION, MESSAGE, MOREINFO, README.
    Possible extensions: COM, CPL, EXE, HTA, SCR, VBS, ZIP.
    The icon of this file contains three cherries.

  • The computer will be affected once the attached file is run.
  • Bagle.AA searches for e-mail addresses containing the following extensions: ADB, ASP, CFG, CGI, DBX, DHTM, EML, HTM, JSP, MBX, MDX, MHT, MMF, MSG, NCH, ODS, OFT, PHP, PL, SHT, SHTM, STM, TBB, TXT, UIN, WAB, WSH, XLS and XML.
    The worm searches for these addresses in all the system drives, excepting floppy disk drives, CD-ROM drives, and other removable media.
  • Bagle.AA sends itself out to all the addresses it has gathered, using its own SMTP engine.
  • However, Bagle.AA will not spread to those addresses containing any of the following text strings:
    @avp., @foo, @hotmail, @iana, @messagelab, @microsoft, @msn, abuse, admin, anyone@, bsd, bugs@, cafee, certific, contract@, feste, free-av, f-secur, gold-certs@, google, help@, icrosoft, info@, kasp, linux, listserv, local, news, nobody@, noone@, noreply, ntivi, panda, pgp, postmaster@, rating@, root@, samples, sopho, spam, support, unix, update, winrar and winzip.

 

2.- Transmission through file sharing programs.

Bagle.AA carries out the following routine:

  • It creates copies of itself in directories with a name that contains the text string shar. It uses the following file names:
    ACDSee 9.exe
    Adobe Photoshop 9 full.exe
    Ahead Nero 7.exe
    Kaspersky Antivirus 5.0
    KAV 5.0
    Matrix 3 Revolution English Subtitles.exe
    Microsoft Office 2003 Crack, Working!.exe
    Microsoft Office XP working Crack, Keygen.exe
    Microsoft Windows XP, WinXP Crack, working Keygen.exe
    Opera 8 New!.exe
    Porno pics arhive, xxx.exe
    Porno Screensaver.scr
    Porno, sex, oral, anal cool, awesome!!.exe
    Serials.txt.exe
    WinAmp 5 Pro Keygen Crack Update.exe
    WinAmp 6 New!.exe
    Windown Longhorn Beta Leak.exe
    Windows Sourcecode update.doc.exe
    XXX hardcore images.exe
  • By doing this, it attempts to copy itself to the shared directories of P2P file sharing programs.
  • Other users these programs can access the shared directories and download the files to their computers, thinking that they are useful computer programs, movies, pictures, etc. However, these users will actually download a copy of the worm.
  • When the downloaded file is run, these computers will be affected by Bagle.AA.
>

Further Details  

Bagle.AA is written in the programming language Visual C. This worm is 39,099 bytes in size and it is compressed with UPX.

>