Bagle.AM
Threat LevelDamageDistribution

Effects 

Bagle.AM carries out the following actions:

• It opens a TCP port and listens to it, allowing remote access to the affected computer, in order to carry out actions that compromise user's confidentiality or impede the tasks performed.
• It ends the following processes, if they are active in memory:
  ATUPDATER.EXE, AUPDATE.EXE, AUTODOWN.EXE, AUTOTRACE.EXE, AUTOUPDATE.EXE, AVPUPD.EXE, AVWUPD32.EXE, AVXQUAR.EXE, CFIAUDIT.EXE, DRWEBUPW.EXE, ESCANH95.EXE, ESCANHNT.EXE, FIREWALL.EXE, ICSSUPPNT.EXE, ICSUPP95.EXE, LUALL.EXE, MCUPDATE.EXE, NUPGRADE.EXE, OUTPOST.EXE, sys_xp.exe, sysxp.exe, UPDATE.EXE and winxp.exe.
  These processes belong, among others, to antivirus update programs, preventing these applications from upgrading their protection against new viruses. Some of these processes belong to other worms.
• It attempts to download a fake JPG file from the following websites:
  http://134.102.228.45
  http://196.12.49.27
  http://213.188.129.72
  http://64.62.172.118
  http://abi-2004.org
  http://advm1.gm.fh-koeln.de
  http://alexey.pioneers.com.ru
  http://alfinternational.ru
  http://aus-Zeit.com
  http://binn.ru
  http://burn2k.ipupdater.com
  http://carabi.ru
  http://catalog.zelnet.ru
  http://cavalierland.5u.com
  http://celine.artics.ru
  http://change.east.ru
  http://colleen.ai.net
  http://controltechniques.ru
  http://dev.tikls.net
  http://diablo.homelinux.com
  http://dodgetheatre.com
  http://dozenten.f1.fhtw-berlin.de
  http://emnesty.w.interia.pl
  http://emnezz.e-mania.pl
  http://euroviolence.com
  http://evadia.ru
  http://fairy.dataforce.net
  http://financial.washingtonpost.com
  http://free.bestialityhost.com
  http://gutemine.wu-wien.ac.at
  http://herzog.cs.uni-magdeburg.de
  http://home.profootball.ru
  http://host.businessweek.com
  http://host.wallstreetcity.com
  http://host23.ipowerweb.com
  http://hsr.zhp.org.pl
  http://infokom.pl
  http://kafka.punkt.pl
  http://kooltokyo.ru
  http://kypexin.ru
  http://lars-s.privat.t-online.de
  http://lottery.h11.ru
  http://matzlinger.com
  http://megion.ru
  http://mmag.ru
  http://molinero-berlin.de
  http://momentum.ru
  http://niebo.net
  http://nominal.kaliningrad.ru
  http://omegat.ru
  http://ourcj.com
  http://packages.debian.or.jp
  http://pb195.slupsk.sdi.tpnet.pl
  http://photo.gornet.ru
  http://pixel.co.il
  http://pocono.ru
  http://polobeer.de
  http://porno-mania.net
  http://protek.ru
  http://przeglad-tygodnik.pl
  http://przeglad-tygodnik.pl
  http://quotes.barchart.com
  http://r2626r.de
  http://rausis.latnet.lv
  http://relay.great.ru
  http://republika.pl
  http://sacred.ru
  http://sbuilder.ru
  http://sec.polbox.pl
  http://shadkhan.ru
  http://silesianet.pl
  http://silesianet.pl
  http://slavarik.ru
  http://sovea.de
  http://spbbook.ru
  http://strony.wp.pl
  http://szm.sk
  http://tarkosale.net
  http://tdi-router.opola.pl
  http://terramail.pl
  http://thorpedo.us
  http://traveldeals.sidestep.com
  http://ultimate-best-hgh.0my.net
  http://vip.pnet.pl
  http://werel1.web-gratis.net
  http://www.5100.ru
  http://www.aannemers-nederland.nl
  http://www.abcdesign.ru
  http://www.airnav.com
  http://www.aktor.ru
  http://www.ankil.ru
  http://www.antykoncepcja.net
  http://www.aphel.de
  http://www.artics.ru
  http://www.astoria-stuttgart.de
  http://www.avant.ru
  http://www.baltmatours.com
  http://www.baltnet.ru
  http://www.biratnagarmun.org.np
  http://www.biysk.ru
  http://www.boglen.com
  http://www.bridesinrussia.com
  http://www.busheron.ru
  http://www.ccbootcamp.com
  http://www.chat4adult.com
  http://www.chelny.ru
  http://www.ciachoo.pl
  http://www.dami.com.pl
  http://www.ddosers.net
  http://www.dicto.ru
  http://www.dilver.ru
  http://www.dsmedia.ru
  http://www.dynex.ru
  http://www.elemental.ru
  http://www.elit-line.ru
  http://www.epski.gr
  http://www.forbes.com
  http://www.free-time.ru
  http://www.gamma.vyborg.ru
  http://www.gantke-net.com
  http://www.gin.ru
  http://www.glass-master.ru
  http://www.glavriba.ru
  http://www.gradinter.ru
  http://www.hack-gegen-rechts.com
  http://www.hbz-nrw.de
  http://www.hgr.de
  http://www.hgrstrailer.com
  http://www.ifa-guide.co.uk
  http://www.iluminati.kicks-ass.net
  http://www.infognt.com
  http://www.intellect.lvc
  http://www.interfoodtd.ru
  http://www.interrybflot.ru
  http://www.inversorlatino.com
  http://www.jewishgen.org
  http://www.k2kapital.com
  http://www.kefaloniaresorts.com
  http://www.lamatec.com
  http://www.landofcash.net
  http://www.laserbuild.ru
  http://www.math.kobe-u.ac.jp
  http://www.mcschnaeppchen.com
  http://www.mdmedia.org
  http://www.met.pl
  http://www.metacenter.ru
  http://www.milm.ru
  http://www.myrtoscorp.com
  http://www.nefkom.net
  http://www.neostrada.pl
  http://www.neprifan.ru
  http://www.netradar.com
  http://www.no-abi2003.de
  http://www.oldtownradio.com
  http://www.omnicom.ru
  http://www.oshweb.com
  http://www.pakwerk.ru
  http://www.perfectgirls.net
  http://www.perfectjewel.com
  http://www.peterstar.ru
  http://www.pgipearls.com
  http://www.phg.pl
  http://www.PlayGround.ru
  http://www.porsa.ru
  http://www.porta.de
  http://www.rafani.cz
  http://www.rastt.ru
  http://www.republika.pl
  http://www.republika.pl
  http://www.rollenspielzirkel.de
  http://www.rubikon.pl
  http://www.rumbgeo.ru
  http://www.rweb.ru
  http://www.scli.ru
  http://www.sdsauto.ru
  http://www.sensi.com
  http://www.silesianet.pl
  http://www.sjgreatdeals.com
  http://www.sposob.ru
  http://www.strefa.pl
  http://www.tanzen-in-sh.de
  http://www.taom-clan.de
  http://www.tayles.com
  http://www.teatr-estrada.ru
  http://www.teleline.ru
  http://www.thepositivesideofsports.com
  http://www.timelessimages.com
  http://www.tuhart.net
  http://www.vconsole.net
  http://www.vendex.ru
  http://www.virtmemb.com
  http://www.vivamedia.ru
  http://www.vrack.net
  http://www.wapf.com
  http://www.webpark.pl
  http://www.webronet.com
  http://www.webzdarma.cz
  http://www.yarcity.ru
  http://www.youbuynow.com
  http://www.zeiss.ru
  http://www.zelnet.ru
  http://www.zhp.gdynia.pl
  http://wynnsjammer.proboards18.com
  http://yaguark.h10.ru
  This so-called JPG file is, in fact, an EXE file containing another component of the worm.
• If the computer was affected by any variant of the worm Netsky, Bagle.AM prevents them from being run when Windows is started.

Infection strategy 

The EXE file hidden in the ZIP file creates the following files in the Windows system directory:

• WINDIRECT.EXE, which is a copy of the downloader, and it is 14,848 bytes in size.
• _DLL.EXE. This file is a DLL (Dynamic Link Library), which ends processes and downloads another component of the worm. It is 11,776 bytes in size.

The EXE file downloaded from the websites creates the files WINDLL.EXE, WINDLL.EXEOPEN and WINDLL.EXEOPENOPEN in the Windows system directory. These files are copies of the worm, and are 19,460 bytes in size.

The EXE file hidden in the ZIP file creates the following entries in the Windows Registry:

• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  win_upd2.exe = %sysdir%\ WINdirect.exe
  where %sysdir% is the Windows system directory.
  
  If it cannot create this entry, it attempts to create the following:
  
  HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  win_upd2.exe = %sysdir%\ WINdirect.exe
  By creating these entries, Bagle.AM ensures that it is run whenever Windows is started.

The EXE file downloaded from the Internet creates the following entries in the Windows Registry:

• HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Ru1n
  erthgdr = %sysdir%\ windll.exe
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Ru1n
  erthgdr = %sysdir%\ windll.exe
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ DownloadManager

Bagle.AM deletes from the following paths in the Windows Registry:

HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run

all the entries with any of the following names:

9XHtProtect
Antivirus
EasyAV
FirewallSvr
HtProtect
ICQ Net
ICQNet
Jammer2nd
KasperskyAVEng
MsInfo
My AV
NetDy
Norton Antivirus AV
PandaAVEngine
service
SkynetsRevenge
Special Firewall Service
SysMonXP
Tiny AV
Zone Labs Client Ex

These entries belong to several variants of the worm Netsky.

Means of transmission 

Bagle.AM spreads via email and through peer-to-peer (P2P) file sharing programs.

1.- Transmission via email.

Bagle.AM follows the routine below:

• It reaches the computer in an email message with the following characteristics:
  
  Sender:
  Bagle.AM spoofs the email address from which it is sent, which may cause confusion. For further information, click here.
  
  Subject: it is empty.
  
  Message:
  new price
  
  Attachments: one of the following:
  08_PRICE.ZIP
  NEW__PRICE.ZIP
  NEW_PRICE.ZIP
  NEWPRICE.ZIP
  PRICE.ZIP
  PRICE_08.ZIP
  PRICE_NEW.ZIP
  PRICE2.ZIP
  This attached file contains an HTML file, and a hidden EXE file.
• The computer is affected when the user decompresses the attached file and runs the HTML file inside, and then, the hidden executable file is automatically launched.
• Bagle.AM searches for email addresses in files with any of the following extensions: ADB, ASP, CFG, CGI, DBX, DHTM, EML, HTM, JSP, MBX, MDX, MHT, MMF, MSG, NCH, ODS, OFT, PHP, PL, SHT, SHTM, STM, TBB, TXT, UIN, WAB, WSH, XLS and XML.
• Then, it sends itself out to the addresses it has gathered, using its own SMTP engine.
• However, it does not itself to those addresses that contain any of the following text strings:
  @avp., @foo, @iana, @messagelab, @microsoft, abuse, admin, anyone@, bsd, bugs@, cafee, certific, contract@, feste, free-av, f-secur, gold-certs@, google, help@, icrosoft, info@, kasp, linux, listserv, local, news, nobody@, noone@, noreply, ntivi, panda, pgp, postmaster@, rating@, root@, samples, sopho, spam, support, unix, update, winrar and winzip.

2.- Transmission through P2P file sharing programs.

Bagle.AM follows the routine below:

• It creates copies of itself in the shared directories of these programs (KaZaA, KaZaA Lite, eDonkey2000, Gnucleus, Limewire, Morpheus, Grokster, etc).
• The copies of Bagle.AM have the following enticing names:
  ACDSee 9.exe
  Adobe Photoshop 9 full.exe
  Ahead Nero 7.exe
  Kaspersky Antivirus 5.0
  KAV 5.0
  Matrix 3 Revolution English Subtitles.exe
  Microsoft Office 2003 Crack, Working!.exe
  Microsoft Office XP working Crack, Keygen.exe
  Microsoft Windows XP, WinXP Crack, working Keygen.exe
  Opera 8 New!.exe
  Porno pics arhive, xxx.exe
  Porno Screensaver.scr
  Porno, sex, oral, anal cool, awesome!!.exe
  Serials.txt.exe
  WinAmp 5 Pro Keygen Crack Update.exe
  WinAmp 6 New!.exe
  Windown Longhorn Beta Leak.exe
  Windows Sourcecode update.doc.exe
  XXX hardcore images.exe
• Other users of these programs can remotely access these shared directories. This way, they voluntarily download these files to their computers, thinking that they are useful computer programs, movies, etc. However, they will actually download a copy of the worm to their computers.
• When the downloaded file is run, such computers will be affected by Bagle.AM.

Further Details  

The fake JPG file downloaded from the Internet is compressed with modified PeX.