Effects
Bagle.AH carries out the following actions on Windows XP/2000/NT computers only:
It opens a TCP
port and listens to it, waiting for a remote connection. It allows remote access to the affected computer, in order to carry out actions that compromise user's confidentiality or impede the tasks performed.
It ends processes belonging to other
malware, as well as to
antivirus programs and
firewalls, among others:
AGENTSVR.EXE, ANTI-TROJAN.EXE, ANTIVIRUS.EXE, ANTS.EXE, APIMONITOR.EXE, APLICA32.EXE, APVXDWIN.EXE, ATCON.EXE, ATGUARD.EXE, ATRO55EN.EXE, ATUPDATER.EXE, ATWATCH.EXE, AUPDATE.EXE, AUTODOWN.EXE, AUTOTRACE.EXE, AUTOUPDATE.EXE, AVCONSOL.EXE, AVGSERV9.EXE, AVLTMAIN.EXE, AVprotect9x.exe, AVPUPD.EXE, AVSYNMGR.EXE, AVWUPD32.EXE, AVXQUAR.EXE, BD_PROFESSIONAL.EXE, BIDEF.EXE, BIDSERVER.EXE, BIPCP.EXE, BIPCPEVALSETUP.EXE, BISP.EXE, BLACKD.EXE, BLACKICE.EXE, BOOTWARN.EXE, BORG2.EXE, BS120.EXE, CDP.EXE, CFGWIZ.EXE, CFIADMIN.EXE, CFIAUDIT.EXE, CFINET.EXE, CFINET32.EXE, CLEAN.EXE, CLEANER.EXE, CLEANER3.EXE, CLEANPC.EXE, CMGRDIAN.EXE, CMON016.EXE, CPD.EXE, CPF9X206.EXE, CPFNT206.EXE, CV.EXE, CWNB181.EXE, CWNTDWMO.EXE, DEFWATCH.EXE, DEPUTY.EXE, DPF.EXE, DPFSETUP.EXE, DRWATSON.EXE, DRWEBUPW.EXE, ENT.EXE, ESCANH95.EXE, ESCANHNT.EXE, ESCANV95.EXE, EXANTIVIRUS-CNET.EXE, FAST.EXE, FIREWALL.EXE, FLOWPROTECTOR.EXE, FP-WIN_TRIAL.EXE, FRW.EXE, FSAV.EXE, FSAV530STBYB.EXE, FSAV530WTBYB.EXE, FSAV95.EXE, GBMENU.EXE, GBPOLL.EXE, GUARD.EXE, GUARDDOG.EXE, HACKTRACERSETUP.EXE, HTLOG.EXE, HWPE.EXE, IAMAPP.EXE, IAMSERV.EXE, ICLOAD95.EXE, ICLOADNT.EXE, ICMON.EXE, ICSSUPPNT.EXE, ICSUPP95.EXE, ICSUPPNT.EXE, IFW2000.EXE, IPARMOR.EXE, IRIS.EXE, JAMMER.EXE, KAVLITE40ENG.EXE, KAVPERS40ENG.EXE, KERIO-PF-213-EN-WIN.EXE, KERIO-WRL-421-EN-WIN.EXE, KERIO-WRP-421-EN-WIN.EXE, KILLPROCESSSETUP161.EXE, LDPRO.EXE, LOCALNET.EXE, LOCKDOWN.EXE, LOCKDOWN2000.EXE, LSETUP.EXE, LUALL.EXE, LUCOMSERVER.EXE, LUINIT.EXE, MCAGENT.EXE, MCUPDATE.EXE, MFW2EN.EXE, MFWENG3.02D30.EXE, MGUI.EXE, MINILOG.EXE, MOOLIVE.EXE, MRFLUX.EXE, MSCONFIG.EXE, MSINFO32.EXE, MSSMMC32.EXE, MU0311AD.EXE, NAV80TRY.EXE, NAVAPW32.EXE, NAVDX.EXE, NAVSTUB.EXE, NAVW32.EXE, NC2000.EXE, NCINST4.EXE, NDD32.EXE, NEOMONITOR.EXE, NETARMOR.EXE, NETINFO.EXE, NETMON.EXE, NETSCANPRO.EXE, NETSPYHUNTER-1.2.EXE, NETSTAT.EXE, NISSERV.EXE, NISUM.EXE, NMAIN.EXE, NORTON_INTERNET_SECU_3.0_407.EXE, NPF40_TW_98_NT_ME_2K.EXE, NPFMESSENGER.EXE, NPROTECT.EXE, NSCHED32.EXE, NTVDM.EXE, NUPGRADE.EXE, NVARCH16.EXE, NWINST4.EXE, NWTOOL16.EXE, OSTRONET.EXE, OUTPOST.EXE, OUTPOSTINSTALL.EXE, OUTPOSTPROINSTALL.EXE, PADMIN.EXE, PANIXK.EXE, PAVPROXY.EXE, PCC2002S902.EXE, PCC2K_76_1436.EXE, PCCIOMON.EXE, PCDSETUP.EXE, PCFWALLICON.EXE, PCFWALLICON.EXE, PCIP10117_0.EXE, PDSETUP.EXE, PERISCOPE.EXE, PERSFW.EXE, PF2.EXE, PFWADMIN.EXE, PINGSCAN.EXE, PLATIN.EXE, POPROXY.EXE, POPSCAN.EXE, PORTDETECTIVE.EXE, PPINUPDT.EXE, PPTBC.EXE, PPVSTOP.EXE, PROCEXPLORERV1.0.EXE, PROPORT.EXE, PROTECTX.EXE, PSPF.EXE, PURGE.EXE, PVIEW95.EXE, QCONSOLE.EXE, QSERVER.EXE, RAV8WIN32ENG.EXE, REGEDIT.EXE, REGEDT32.EXE, RESCUE.EXE, RESCUE32.EXE, RRGUARD.EXE, RSHELL.EXE, RTVSCN95.EXE, RULAUNCH.EXE, SAFEWEB.EXE, SBSERV.EXE, SD.EXE, SETUP_FLOWPROTECTOR_US.EXE, SETUPVAMEEVAL.EXE, SFC.EXE, SGSSFW32.EXE, SH.EXE, SHELLSPYINSTALL.EXE, SHN.EXE, SMC.EXE, SOFI.EXE, SPF.EXE, SPHINX.EXE, SPYXX.EXE, SS3EDIT.EXE, ST2.EXE, SUPFTRL.EXE, SUPPORTER5.EXE, SYMPROXYSVC.EXE, SYSEDIT.EXE, TASKMON.EXE, TAUMON.EXE, TAUSCAN.EXE, TC.EXE, TCA.EXE, TCM.EXE, TDS2-98.EXE, TDS2-NT.EXE, TDS-3.EXE, TFAK5.EXE, TGBOB.EXE, TITANIN.EXE, TITANINXP.EXE, TRACERT.EXE, TRJSCAN.EXE, TRJSETUP.EXE, TROJANTRAP3.EXE, UNDOBOOT.EXE, UPDATE.EXE, VBCMSERV.EXE, VBCONS.EXE, VBUST.EXE, VBWIN9X.EXE, VBWINNTW.EXE, VCSETUP.EXE, VFSETUP.EXE, VIRUSMDPERSONALFIREWALL.EXE, VNLAN300.EXE, VNPC3000.EXE, VPC42.EXE, VPFW30S.EXE, VPTRAY.EXE, VSCENU6.02D30.EXE, VSECOMR.EXE, VSHWIN32.EXE, VSISETUP.EXE, VSMAIN.EXE, VSMON.EXE, VSSTAT.EXE, VSWIN9XE.EXE, VSWINNTSE.EXE, VSWINPERSE.EXE, W32DSM89.EXE, W9X.EXE, WATCHDOG.EXE, WEBSCANX.EXE, WGFE95.EXE, WHOSWATCHINGME.EXE, WINRECON.EXE, WNT.EXE, WRADMIN.EXE, WRCTRL.EXE, WSBGATE.EXE, WYVERNWORKSFIREWALL.EXE, XPF202EN.EXE, ZAPRO.EXE, ZAPSETUP3001.EXE, ZATUTOR.EXE, ZAUINST.EXE, ZONALM2601.EXE and
ZONEALARM.EXE.
By ending the processes belonging to security tools,
Bagle.AH leaves the affected computer vulnerable to the attack of other malware.
It connects to several web pages that host a
PHP script:
http://abtacha.wirebrain.de/o.php
http://begros.de/o.php
http://deepiceman.de/o.php
http://dfk-crew.clanintern.de/o.php
http://die-cliquee.de/o.php
http://edwinf.surfplanet.de/o.php
http://knecht.cs.uni-magdeburg.de/o.php
http://login.rz.fh-augsburg.de/o.php
http://niematec.de/o.php
http://obechmann.de/o.php
http://pe-data.de/o.php
http://people-ftp.freenet.de/o.php
http://people-ftp.freenet.de/o.php
http://people-ftp.freenet.de/o.php
http://ronnyackermann.de/o.php
http://sgi1.rz.rwth-aachen.de/o.php
http://symbit.de/o.php
http://tripod.de/o.php
http://web154.essen082.server4free.de/o.php
http://web216.berlin240.server4free.de/o.php
http://www.aachen.de/o.php
http://www.abacho.de/o.php
http://www.anwaltverein.de//o.php
http://www.aquarius.geomar.de/o.php
http://www.astronomie.de/o.php
http://www.atlantis-show.de/o.php
http://www.atlas-hannover.de/o.php
http://www.awi-bremerhaven.de/o.php
http://www.baden-wuerttemberg.de/o.php
http://www.bayerninfo.de/o.php
http://www.beck.de/o.php
http://www.berlinonline.de/o.php
http://www.bessy.de/o.php
http://www.bitburger.de/o.php
http://www.blk-bonn.de//o.php
http://www.bmgs.bund.de/o.php
http://www.brigitte.de/o.php
http://www.bundesliga.de/o.php
http://www.calistyler.de/o.php
http://www.citypopulation.de/o.php
http://www.dar-fantasy.de/o.php
http://www.dasding.de/o.php
http://www.degruyter.de/o.php
http://www.destatis.de/o.php
http://www.dortmund.de/o.php
http://www.duden.de/o.php
http://www.dwelle.de/o.php
http://www.empire-show.de/o.php
http://www.eumetsat.de/o.php
http://www.europarl.de/o.php
http://www.expo2000.de/o.php
http://www.fernuni-hagen.de/o.php
http://www.finanznachrichten.de/o.php
http://www.firstgate.de/o.php
http://www.frankfurt-airport.de/o.php
http://www.frankfurter-buchmesse.de/o.php
http://www.freiburg.de/o.php
http://www.gantke-net.de/o.php
http://www.gelbeseiten.de/o.php
http://www.gtz.de/o.php
http://www.gutenberg2000.de/o.php
http://www.hannobunz.de/o.php
http://www.heidelberg.de/o.php
http://www.helmholtz.de/o.php
http://www.hosteurope.de/o.php
http://www.h-p-i.de/o.php
http://www.immobilienscout24.de/o.php
http://www.jugendherberge.de/o.php
http://www.kabel1.de/o.php
http://www.kalenderblatt.de/o.php
http://www.karlsruhe.de/o.php
http://www.king-alp.de/o.php
http://www.king-alp.de/o.php
http://www.klug-suchen.de/o.php
http://www.kompetenznetze.de/o.php
http://www.kompetenzz.de/o.php
http://www.krebsinformation.de/o.php
http://www.lords-of-havoc.de/o.php
http://www.lufthansa.de/o.php
http://www.lupo18t.de/o.php
http://www.mathguide.de/o.php
http://www.math-net.de/o.php
http://www.mdirk.de/o.php
http://www.medicine-worldwide.de/o.php
http://www.meinestadt.de/o.php
http://www.messe-duesseldorf.de/o.php
http://www.messe-muenchen.de/o.php
http://www.mohr.de/o.php
http://www.monster.de/o.php
http://www.munich-airport.de/o.php
http://www.mupad.de/o.php
http://www.murczak.de/o.php
http://www.murczak.de/o.php
http://www.niedersachsen.de/o.php
http://www.nuernbergmesse.de/o.php
http://www.onlinereviewguide.com/o.php
http://www.pcwelt.de/o.php
http://www.photokina.de/o.php
http://www.rapz-records.de/o.php
http://www.regtp.de/o.php
http://www.renewables2004.de/o.php
http://www.ruhr-uni-bochum.de/o.php
http://www.saarbruecken.de/o.php
http://www.saarland.de/o.php
http://www.schaubuehne.de/o.php
http://www.schulen-ans-netz.de/o.php
http://www.slowfood.de/o.php
http://www.staedtetag.de/o.php
http://www.stellenmarkt.de/o.php
http://www.stepstone.de/o.php
http://www.stifterverband.de/o.php
http://www.stricker-doerpen.de/o.php
http://www.studentenwerke.de/o.php
http://www.stufenlos-regelbar.de/o.php
http://www.stuttgart.de/o.php
http://www.stuttgarter-zeitung.de/o.php
http://www.superstar-nord.de/o.php
http://www.sysserver1.de/o.php
http://www.szakos.de/o.php
http://www.szakos.de/o.php
http://www.testdaf.de/o.php
http://www.tu-darmstadt.de/o.php
http://www.tu-dresden.de/o.php
http://www.tu-muenchen.de/o.php
http://www.umweltbundesamt.de/o.php
http://www.uni-bremen.de/o.php
http://www.unibw-muenchen.de/o.php
http://www.uni-duesseldorf.de/o.php
http://www.uni-duisburg-essen.de/o.php
http://www.uni-frankfurt.de/o.php
http://www.uni-jena.de/o.php
http://www.uni-mannheim.de/o.php
http://www.uni-marburg.de/o.php
http://www.uni-osnabrueck.de/o.php
http://www.uni-tuebingen.de/o.php
http://www.urlaubstage.de/o.php
http://www.vwschubert.de/o.php
http://www.webhits.de/o.php
http://www.wiley-vch.de/o.php
http://www.wissenschaft-online.de/o.php
http://zeus05.de/o.php
http://zille.cs.uni-magdeburg.de/o.phpIt prevents several
variants of the worm
Netsky from being run.
Infection strategy
Bagle.AH creates the following files in the Windows system directory:
Bagle.AH creates the following entry in the Windows Registry:
Bagle.AH deletes the following entries in the Windows Registry if they exist:
- It deletes from the paths below:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
all the entries with any of the following names:
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
By doing so, Bagle.AH prevents several variants of the worm Netsky from being run automatically whenever Windows is started.
Means of transmission
Bagle.AH spreads via e-mail and through peer-to-peer (P2P) file sharing programs.
1.- Transmission via e-mail.
Bagle.AH follows the routine below:
It reaches the computer in a message with variable characteristics:
Sender:
Bagle.AH spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click
here.
Subject: one of the following:
Re:
Message: it has an HTML format. When seen as plain text, it has the HTML markers:
<html><body>
</body></html>
<br><br>It can be any of the following:
>Lovely animals
>fotoinfo
>The snake
>Animals
>fotogalary and Music
>foto3 and MP3
>Screen and Music
Attachments: it has variable name and extension:
Possible names: Cat, Cool_MP3, Dog, Fish, Doll, Garry, MP3,Music_MP3, New_MP3_Player.
Possible extensions: COM, CPL, EXE, SCR and ZIP.
However, if the attached file has a ZIP extension, it will be protected by a password, and it will include an image file with a BMP extension. This file contains the password needed in order to decompress the attached file. In addition, the file will contain any of the following key words:
PASSWORD, PASS, KEY.
- The computer will be affected once the attached file is run.
- Bagle.AH searches for e-mail addresses in files with the following extensions which are in the system drives, excepting floppy drives, CD-ROMs and other removable media: ADB, ASP, CFG, CGI, DBX, DHTM, EML, HTM, JSP, MBX, MDX, MHT, MMF, MSG, NCH, ODS, OFT, PHP, PL, SHT, SHTM, STM, TBB, TXT, UIN, WAB, WSH, XLS and XML.
- Bagle.AH sends itself out to all the addresses it has gathered, using its own SMTP engine.
- However, Bagle.AH will not spread to those addresses containing any of the following text strings:
@avp., @foo, @hotmail, @iana, @messagelab, @microsoft, @msn, abuse, admin, anyone@, bsd, bugs@, cafee, certific, contract@, feste, free-av, f-secur, gold-certs@, google, help@, icrosoft, info@, kasp, linux, listserv, local, news, nobody@, noone@, noreply, ntivi, panda, pgp, postmaster@, rating@, root@, samples, sopho, spam, support, unix, update, winrar, winzip.
2.- Transmission through file sharing programs.
Bagle.AH carries out the following routine:
- It creates copies of itself in the shared directories of Bearshare, KaZaA, Limewire, Morpheus, etc.:
c:\ My Shared Folder\
c:\ Program Files\ BearShare\
c:\ Program Files\ BearShare\ Shared\
c:\ Program Files\ Common Files\ Microsoft Shared\
c:\ Program Files\ Grokster\ My Shared Folder\
c:\ Program Files\ ICQ\ Shared Files\
c:\ Program Files\ Kazaa Lite\ My Shared Folder\
c:\ Program Files\ Kazaa\ My Shared Folder\
c:\ Program Files\ KMD\ My Shared Folder\
c:\ Program Files\ LimeWire\ Shared\
c:\ Program Files\ Morpheus\ My Shared Folder\
c:\ Program Files\ Rapigator\ Share\
c:\ Program Files\ Shareaza\
c:\ Program Files\ WinMX\ My Shared Folder\
c:\ WINDOWS\ ime\ shared\ - It uses the following file names:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
- Other users these programs can access the shared directories and download the files to their computers, thinking that they are useful computer programs, movies, pictures, etc. However, these users will actually download a copy of the worm.
- When the downloaded file is run, these computers will be affected by Bagle.AH.
Further Details
Bagle.AH is written in the programming language Visual C++ v6.0. This worm is from 21 kbytes when compressed with modified PeX v0.99b and 35 Kbytes in size when decompressed.
Bagle.AH creates any of the following mutex, in order to prevent to copies of itself from being run at the same time:
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
By creating this mutex, Bagle.AH also prevents several variants of Netsky using these mutex names from being run.