You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Bagle.AB

 
Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

Bagle.AB carries out the following actions:

  • It attempts to connect to several websites that host a PHP script through the port 2535. By doing so, Bagle.AB notifies its author that the computer has been affected:

    http://2udar.ligakvn.de/5.php
    http://3treepoint.com/5.php
    http://abakan.strana.de/5.php
    http://andimeisslein.de/5.php
    http://ditec.um.es/5.php
    http://fotos.schneider.bards.de/5.php
    http://hardvision.ru/5.php
    http://jakimov.golos.de/5.php
    http://markusgimenez.de/5.php
    http://mhv24.de/5.php
    http://s318.evanzo-server.de/5.php
    http://Spaceclub.de/5.php
    http://tobimayer.de/5.php
    http://vg.xtonne.de/5.php
    http://vg.xtonne.de/5.php
    http://villakinderbunt.de/5.php
    http://virtualzone.de/5.php
    http://www.ac-schnitzer.de/5.php
    http://www.auma.de/5.php
    http://www.autoscout24.de/5.php
    http://www.avh.de/5.php
    http://www.beckers-systems.de/5.php
    http://www.berlinale.de/5.php
    http://www.blauer-engel.de/5.php
    http://www.bmbf.de/5.php
    http://www.bruecke-osteuropa.de/5.php
    http://www.bundesregierung.de/5.php
    http://www.cicv.fr/5.php
    http://www.chugai.de/5.php
    http://www.dalnoboyshik.de/5.php
    http://www.de-bug.de/5.php
    http://www.degruyter.de/5.php
    http://www.deutsch-als-fremdsprache.de/5.php
    http://www.deutsches-museum.de/5.php
    http://www.deutschland.de/5.php
    http://www.dfg.de/5.php
    http://www.documenta.de/5.php
    http://www.dwd.de/5.php
    http://www.embl-heidelberg.de/5.php
    http://www.emis.de/5.php
    http://www.eumetsat.de/5.php
    http://www.exactaudiocopy.de/5.php
    http://www.fernuni-hagen.de/5.php
    http://www.fiz-karlsruhe.de/5.php
    http://www.fracht-24.de/5.php
    http://www.fu-berlin.de/5.php
    http://www.gdch.de/5.php
    http://www.go-amman.de/5.php
    http://www.goethe.de/5.php
    http://www.gospel-nations.de/5.php
    http://www.gsi.de/5.php
    http://www.hamann-motorsport.de/5.php
    http://www.hamburg.de/5.php
    http://www.heise.de/5.php
    http://www.hotel-pension-spree.de/5.php
    http://www.ifdesign.de/5.php
    http://www.insel-ruegen-hotel.de/5.php
    http://www.intermatgmbh.de/5.php
    http://www.jura.uni-sb.de/5.php
    http://www.kliniken.de/5.php
    http://www.leipziger-messe.de/5.php
    http://www.loveparade.de/5.php
    http://www.low-spirit.de/5.php
    http://www.mdz-moskau.de/5.php
    http://www.mitsubishi-evs.de/5.php
    http://www.mitsumi.de/5.php
    http://www.mk-motorsport.de/5.php
    http://www.mobile.de/5.php
    http://www.nabu.de/5.php
    http://www.neformal.de/5.php
    http://www.neznakomez.de/5.php
    http://www.paromi.de/5.php
    http://www.partner-inform.de/5.php
    http://www.php-resource.de/5.php
    http://www.pri-wo-hamburg.de/5.php
    http://www.red-dot.de/5.php
    http://www.restarted-alliance.de/5.php
    http://www.ruletka.de/5.php
    http://www.russische-botschaft.de/5.php
    http://www.siegenia-aubi.com/5.php
    http://www.spiegel.de/5.php
    http://www.sprach-zertifikat.de/5.php
    http://www.teac.de/5.php
    http://www.tecchannel.de/5.php
    http://www.tekeli.de/5.php
    http://www.tib.uni-hannover.de/5.php
    http://www.turism.de/5.php
    http://www.uni-oldenburg.de/5.php
    http://www.uni-stuttgart.de/5.php
    http://www.welt.de/5.php
    http://www.windac.de/5.php
    http://www.winfuture.de/5.php
    http://www.www.mirko-becker.gmxhome.de/5.php
  • It ends the following processes, if they are active:

    3.02D30.EXE, AGENTSVR.EXE, ANTI-TROJA, ANTI-TROJAN.EXE, ANTIVIRUS.EXE, ANTS.EXE, APIMONITOR.EXE, APLICA32.EXE, APVXDWIN.EXE, ATCON.EXE, ATGUARD.EXE, ATRO55EN.EXE, ATUPDATER.EXE, ATWATCH.EXE, AUPDATE.EXE, AUTODOWN.EXE, AUTOTRACE.EXE, AUTOUPDATE.EXE, AVCONSOL.EXE, AVGSERV9.EXE, AVLTMAIN.EXE, AVprotect9x.EXE, AVPUPD.EXE, AVSYNMGR.EXE, AVWUPD32.EXE, AVXQUAR.EXE, BD_PROFESSIONAL.EXE, BIDEF.EXE, BIDSERVER.EXE, BIPCP.EXE, BIPCPEVALSETUP.EXE, BISP.EXE, BLACKD.EXE, BLACKICE.EXE, BOOTWARN.EXE, BORG2.EXE, BS120.EXE, CDP.EXE, CFGWIZ.EXE, CFIADMIN.EXE, CFIAUDIT.EXE, CFINET.EXE, CFINET32.EXE, CLEAN.EXE, CLEANER.EXE, CLEANER3.EXE, CLEANPC.EXE, CMGRDIAN.EXE, CMON016.EXE, CPD.EXE, CPF9X206.EXE, CPFNT206.EXE, CV.EXE, CWNB181.EXE, CWNTDWMO.EXE, DEFWATCH.EXE, DEPUTY.EXE, DPF.EXE, DPFSETUP.EXE, drvsys.EXE, DRWATSON.EXE, DRWEBUPW.EXE, E TRACERT.EXE, ENT.EXE, ESCANH95.EXE, ESCANHNT.EXE, ESCANV95.EXE, EXANTIVIRUS-CNET.EXE, FAST.EXE, FIREWALL.EXE, FLOWPROTECTOR.EXE, FP-WIN_TRIAL.EXE, FRW.EXE, FSAV.EXE, FSAV530STBYB.EXE, FSAV530WTBYB.EXE, FSAV95.EXE, GBMENU.EXE, GBPOLL.EXE, GUARD.EXE, GUARDDOG.EXE, HACKTRACERSETUP.EXE, HTLOG.EXE, HWPE.EXE, IAMAPP.EXE, IAMSERV.EXE, ICLOAD95.EXE, ICLOADNT.EXE, ICMON.EXE, ICSSUPPNT.EXE, ICSUPP95.EXE, ICSUPP95.EXE, ICSUPPNT.EXE, IFW2000.EXE, IPARMOR.EXE, IRIS.EXE, JAMMER.EXE, KAVLITE40ENG.EXE, KAVPERS40ENG.EXE, KERIO-PF-213-EN-WIN.EXE, KERIO-WRL-421-EN-WIN.EXE, KERIO-WRP-421-EN-WIN.EXE, KILLPROCESSSETUP161.EXE, LDPRO.EXE, LOCALNET.EXE, LOCKDOWN.EXE, LOCKDOWN2000.EXE, LSETUP.EXE, LUALL.EXE, LUCOMSERVER.EXE, LUINIT.EXE, MCAGENT.EXE, MCUPDATE.EXE, MFW2EN.EXE, MFWENG, MGUI.EXE, MINILOG.EXE, MOOLIVE.EXE, MRFLUX.EXE, MSCONFIG.EXE, MSINFO32.E, MU0311AD.EXE, N.EXE, NAV80TRY.EXE, NAVAPW32.EXE, NAVDX.EXE, NAVSTUB.EXE, NAVW32.EXE, NC2000.EXE, NCINST4.EXE, NDD32.EXE, NEOMONITOR.EXE, NETARMOR.EXE, NETINFO.EXE, NETMON.EXE, NETSCANPRO.EXE, NETSPYHUNTER-1.2.EXE, NETSTAT.EXE, NISSERV.EXE, NISUM.EXE, NMAIN.EXE, NORTON_INTERNET_SECU_3.0_407.EXE, NPF40_TW_98_NT_ME_2K.EXE, NPFMESSENGER.EXE, NPROTECT.EXE, NSCHED32.EXE, NTVDM.EXE, NUPGRADE.EXE, NVARCH16.EXE, NWINST4.EXE, NWTOOL16.EXE, OSTRONET.EXE, OUTPOST.EXE, OUTPOSTINSTALL.EXE, OUTPOSTPROINSTALL.EXE, PADMIN.EXE, PANIXK.EXE, PAVPROXY.EXE, PCC2002S902.EXE, PCC2K_76_1436.EXE, PCCIOMON.EXE, PCDSETUP.EXE, PCFWALLICON.EXE, PCIP10117_0.EXE, PDSETUP.EXE, PERISCOPE.EXE, PERSFW.EXE, PF2.EXE, PFWADMIN.EXE, PINGSCAN.EXE, PLATIN.EXE, POPROXY.EXE, POPSCAN.EXE, PORTDETECTIVE.EXE, PPINUPDT.EXE, PPTBC.EXE, PPVSTOP.EXE, PROCEXPLORERV1.0.EXE, PROPORT.EXE, PROTECTX.EXE, PSPF.EXE, PURGE.EXE, PVIEW95.EXE, QCONSOLE.EXE, QSERVER.EXE, RAV8WIN32ENG.EXE, REGEDIT.EXE, REGEDT32.EXE, RESCUE.EXE, RESCUE32.EXE, RRGUARD.EXE, RSHELL.EXE, RTVSCN95.EXE, RULAUNCH.EXE, SAFEWEB.EXE, SBSERV.EXE, SD.EXE, SETUP_FLOWPROTECTOR_US.EXE, SETUPVAMEEVAL.EXE, SFC.EXE, SGSSFW32.EXE, SH.EXE, SHELLSPYINSTALL.EXE, SHN.EXE, SMC.EXE, SOFI.EXE, SPF.EXE, SPHINX.EXE, SPYXX.EXE, SS3EDIT.EXE, ST2.EXE, SUPFTRL.EXE, SUPPORTER5.EXE, SYMPROXYSVC.EXE, SYSEDIT.EXE, TASKMON.EXE, TAUMON.EXE, TAUSCAN.EXE, TC.EXE, TCA.EXE, TCM.EXE, TDS2-98.EXE, TDS2-NT.EXE, TDS-3.EXE, TFAK5.EXE, TGBOB.EXE, TITANIN.EXE, TITANINXP.EX, TRJSCAN.EXE, TRJSETUP.EXE, TROJANTRAP3.EXE, UNDOBOOT.EXE, UPDATE.EXE, VBCMSERV.EXE, VBCONS.EXE, VBUST.EXE, VBWIN9X.EXE, VBWINNTW.EXE, VCSETUP.EXE, VFSETUP.EXE, VIRUSMDPERSONALFIREWALL.EXE, VNLAN300.EXE, VNPC3000.EXE, VPC42.EXE, VPFW30S.EXE, VPTRAY.EXE, VSCENU6.02D30.EXE, VSECOMR.EXE, VSHWIN32.EXE, VSISETUP.EXE, VSMAIN.EXE, VSMON.EXE, VSSTAT.EXE, VSWIN9XE.EXE, VSWINNTSE.EXE, VSWINPERSE.EXE, W32DSM89.EXE, W9X.EXE, WATCHDOG.EXE, WEBSCANX.EXE, WGFE95.EXE, WHOSWATCHINGME.EXE, WINRECON.EXE, WNT.EXE, WRADMIN.E, WSBGATE.EXE, WYVERNWORKSFIREWALL.EXE, XE MSSMMC32.EXE, XE WRCTRL.EXE, XPF202EN.EXE, ZAPRO.EXE, ZAPSETUP3001.EXE, ZATUTOR.EXE, ZAUINST.EXE, ZONALM2601.EXE and ZONEALARM.EXE.

    These processes belong to antivirus programs and firewalls, among other security applications, as well as to several worms.
  • It displays the following fake error message on screen:

Infection strategy 

Bagle.AB creates the following files in the Windows system directory:

  • DRVDDLL.EXE and DRVDDLL.EXEOPEN. These files are copies of the worm.
  • DRVDDLL.EXEOPENOPEN. This file in a VBS format creates and runs a copy of the worm on the affected computer.

Bagle.AB creates the following entry in the Windows Registry:

  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    drvddll.exe = %sysdir%\ drvddll.exe
    where %sysdir% is the Windows system directory.
    By creating this entry, Bagle.AB ensures that it is run whenever Windows is started.

Means of transmission 

Bagle.AB spreads via e-mail and through peer-to-peer (P2P) file sharing programs.

1.- Transmission via e-mail.

Bagle.AB follows the routine below:

  • It reaches the computer in a message with variable characteristics:

    Sender:
    Bagle.AB spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.

    Subject: one of the following:
    Changes..
    Encrypted document
    Fax Message Received
    Forum notify
    Hidden message
    Incoming message
    New changes
    Notification
    Protected message
    Re: Document
    Re: Hello
    Re: Hi
    Re: Incoming Message
    RE: Incoming Msg
    RE: Message Notify
    Re: Msg reply
    RE: Protected message
    RE: Text message
    Re: Thank you!
    Re: Thanks :)
    Re: Yahoo!
    Site changes*

    Message: it is usually blank. However, if the attached file has a ZIP extension, it will be protected by a password, and it will include any of the following texts:
    Archive password: %key%
    Attached file is protected with the password for security reasons. Password is %key%
    For security purposes the attached file is password protected. Password -- %key%
    For security reasons attached file is password protected. The password is %key%
    In order to read the attach you have to use the following password: %key%
    Note: Use password %key% to open archive.
    Password - %key%
    Password: %key%
    where %key% stands for an image file with a BMP extension. This file contains the password needed in order to decompress the attached file.
    For example, this image could be the following one:


    Attachments: it has variable name and extension:
    Possible names: ALIVE_CONDOM, COUNTER_STRIKE, DETAILS, DETAILS, DOCUMENT, HALF_LIVE, I_SEARCH_FOR_YOU, INFO, INFORMATION, JOKE, LOVES_MONEY, MANUFACTURE, MESSAGE, MOREINFO, NERVOUS_ILLNESSES, README, SMOKE, TEXT_DOCUMENT, THE_MESSAGE, THE_MESSAGE, TOY, YOU_ARE_DISMISSED, YOU_WILL_ANSWER_TO_ME, YOUR_COMPLAINT, YOUR_MONEY.
    Possible extensions: COM, CPL, EXE, HTA, SCR, VBS, ZIP.
    If the attached file has a ZIP extension, besides a copy of the worm with a random name, it will contain another file with a random name and one of the following extensions: BAT, DLL, DOC, TXT, VXD. This file will have random characters.
  • The computer will be affected once the attached file is run.
  • Bagle.AB searches for e-mail addresses containing the following extensions: ADB, ASP, CFG, CGI, DBX, DHTM, EML, HTM, JSP, MBX, MDX, MHT, MMF, MSG, NCH, ODS, OFT, PHP, PL, SHT, SHTM, STM, TBB, TXT, UIN, WAB, WSH, XLS and XML.
  • Bagle.AB sends itself out to all the addresses it has gathered, using its own SMTP engine.
  • However, Bagle.AA will not spread to those addresses containing any of the following text strings:
    @avp., @foo, @hotmail, @iana, @messagelab, @microsoft, @msn, abuse, admin, anyone@, bsd, bugs@, cafee, certific, contract@, feste, free-av, f-secur, gold-certs@, google, help@, icrosoft, info@, kasp, linux, listserv, local, news, nobody@, noone@, noreply, ntivi, panda, pgp, postmaster@, rating@, root@, samples, sopho, spam, support, unix, update, winrar and winzip.

 

2.- Transmission through file sharing programs.

Bagle.AB carries out the following routine:

  • It creates copies of itself in directories with a name that contains the text string shar. It uses the following file names:
    ACDSee 9.exe
    Adobe Photoshop 9 full.exe
    Ahead Nero 7.exe
    Kaspersky Antivirus 5.0
    KAV 5.0
    Matrix 3 Revolution English Subtitles.exe
    Microsoft Office 2003 Crack, Working!.exe
    Microsoft Office XP working Crack, Keygen.exe
    Microsoft Windows XP, WinXP Crack, working Keygen.exe
    Opera 8 New!.exe
    Porno pics arhive, xxx.exe
    Porno Screensaver.scr
    Porno, sex, oral, anal cool, awesome!!.exe
    Serials.txt.exe
    WinAmp 5 Pro Keygen Crack Update.exe
    WinAmp 6 New!.exe
    Windown Longhorn Beta Leak.exe
    Windows Sourcecode update.doc.exe
    XXX hardcore images.exe
  • By doing this, it attempts to copy itself to the shared directories of P2P file sharing programs.
  • Other users these programs can access the shared directories and download the files to their computers, thinking that they are useful computer programs, movies, pictures, etc. However, these users will actually download a copy of the worm.
  • When the downloaded file is run, these computers will be affected by Bagle.AB.

Further Details  

Bagle.AB is written in the programming language Visual C. This worm is around 20,000 bytes in size and it is compressed with UPX.