You're in: Panda Security > Home Users > security-info > overview
Active Scan. Scan your PC free
Download Cloud Antivirus Gratis

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Bagle.AM

 
Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

Bagle.AM carries out the following actions:

  • It opens a TCP port and listens to it, allowing remote access to the affected computer, in order to carry out actions that compromise user's confidentiality or impede the tasks performed.
  • It ends the following processes, if they are active in memory:
    ATUPDATER.EXE, AUPDATE.EXE, AUTODOWN.EXE, AUTOTRACE.EXE, AUTOUPDATE.EXE, AVPUPD.EXE, AVWUPD32.EXE, AVXQUAR.EXE, CFIAUDIT.EXE, DRWEBUPW.EXE, ESCANH95.EXE, ESCANHNT.EXE, FIREWALL.EXE, ICSSUPPNT.EXE, ICSUPP95.EXE, LUALL.EXE, MCUPDATE.EXE, NUPGRADE.EXE, OUTPOST.EXE, sys_xp.exe, sysxp.exe, UPDATE.EXE and winxp.exe.
    These processes belong, among others, to antivirus update programs, preventing these applications from upgrading their protection against new viruses. Some of these processes belong to other worms.
  • It attempts to download a fake JPG file from the following websites:
    http://134.102.228.45
    http://196.12.49.27
    http://213.188.129.72
    http://64.62.172.118
    http://abi-2004.org
    http://advm1.gm.fh-koeln.de
    http://alexey.pioneers.com.ru
    http://alfinternational.ru
    http://aus-Zeit.com
    http://binn.ru
    http://burn2k.ipupdater.com
    http://carabi.ru
    http://catalog.zelnet.ru
    http://cavalierland.5u.com
    http://celine.artics.ru
    http://change.east.ru
    http://colleen.ai.net
    http://controltechniques.ru
    http://dev.tikls.net
    http://diablo.homelinux.com
    http://dodgetheatre.com
    http://dozenten.f1.fhtw-berlin.de
    http://emnesty.w.interia.pl
    http://emnezz.e-mania.pl
    http://euroviolence.com
    http://evadia.ru
    http://fairy.dataforce.net
    http://financial.washingtonpost.com
    http://free.bestialityhost.com
    http://gutemine.wu-wien.ac.at
    http://herzog.cs.uni-magdeburg.de
    http://home.profootball.ru
    http://host.businessweek.com
    http://host.wallstreetcity.com
    http://host23.ipowerweb.com
    http://hsr.zhp.org.pl
    http://infokom.pl
    http://kafka.punkt.pl
    http://kooltokyo.ru
    http://kypexin.ru
    http://lars-s.privat.t-online.de
    http://lottery.h11.ru
    http://matzlinger.com
    http://megion.ru
    http://mmag.ru
    http://molinero-berlin.de
    http://momentum.ru
    http://niebo.net
    http://nominal.kaliningrad.ru
    http://omegat.ru
    http://ourcj.com
    http://packages.debian.or.jp
    http://pb195.slupsk.sdi.tpnet.pl
    http://photo.gornet.ru
    http://pixel.co.il
    http://pocono.ru
    http://polobeer.de
    http://porno-mania.net
    http://protek.ru
    http://przeglad-tygodnik.pl
    http://przeglad-tygodnik.pl
    http://quotes.barchart.com
    http://r2626r.de
    http://rausis.latnet.lv
    http://relay.great.ru
    http://republika.pl
    http://sacred.ru
    http://sbuilder.ru
    http://sec.polbox.pl
    http://shadkhan.ru
    http://silesianet.pl
    http://silesianet.pl
    http://slavarik.ru
    http://sovea.de
    http://spbbook.ru
    http://strony.wp.pl
    http://szm.sk
    http://tarkosale.net
    http://tdi-router.opola.pl
    http://terramail.pl
    http://thorpedo.us
    http://traveldeals.sidestep.com
    http://ultimate-best-hgh.0my.net
    http://vip.pnet.pl
    http://werel1.web-gratis.net
    http://www.5100.ru
    http://www.aannemers-nederland.nl
    http://www.abcdesign.ru
    http://www.airnav.com
    http://www.aktor.ru
    http://www.ankil.ru
    http://www.antykoncepcja.net
    http://www.aphel.de
    http://www.artics.ru
    http://www.astoria-stuttgart.de
    http://www.avant.ru
    http://www.baltmatours.com
    http://www.baltnet.ru
    http://www.biratnagarmun.org.np
    http://www.biysk.ru
    http://www.boglen.com
    http://www.bridesinrussia.com
    http://www.busheron.ru
    http://www.ccbootcamp.com
    http://www.chat4adult.com
    http://www.chelny.ru
    http://www.ciachoo.pl
    http://www.dami.com.pl
    http://www.ddosers.net
    http://www.dicto.ru
    http://www.dilver.ru
    http://www.dsmedia.ru
    http://www.dynex.ru
    http://www.elemental.ru
    http://www.elit-line.ru
    http://www.epski.gr
    http://www.forbes.com
    http://www.free-time.ru
    http://www.gamma.vyborg.ru
    http://www.gantke-net.com
    http://www.gin.ru
    http://www.glass-master.ru
    http://www.glavriba.ru
    http://www.gradinter.ru
    http://www.hack-gegen-rechts.com
    http://www.hbz-nrw.de
    http://www.hgr.de
    http://www.hgrstrailer.com
    http://www.ifa-guide.co.uk
    http://www.iluminati.kicks-ass.net
    http://www.infognt.com
    http://www.intellect.lvc
    http://www.interfoodtd.ru
    http://www.interrybflot.ru
    http://www.inversorlatino.com
    http://www.jewishgen.org
    http://www.k2kapital.com
    http://www.kefaloniaresorts.com
    http://www.lamatec.com
    http://www.landofcash.net
    http://www.laserbuild.ru
    http://www.math.kobe-u.ac.jp
    http://www.mcschnaeppchen.com
    http://www.mdmedia.org
    http://www.met.pl
    http://www.metacenter.ru
    http://www.milm.ru
    http://www.myrtoscorp.com
    http://www.nefkom.net
    http://www.neostrada.pl
    http://www.neprifan.ru
    http://www.netradar.com
    http://www.no-abi2003.de
    http://www.oldtownradio.com
    http://www.omnicom.ru
    http://www.oshweb.com
    http://www.pakwerk.ru
    http://www.perfectgirls.net
    http://www.perfectjewel.com
    http://www.peterstar.ru
    http://www.pgipearls.com
    http://www.phg.pl
    http://www.PlayGround.ru
    http://www.porsa.ru
    http://www.porta.de
    http://www.rafani.cz
    http://www.rastt.ru
    http://www.republika.pl
    http://www.republika.pl
    http://www.rollenspielzirkel.de
    http://www.rubikon.pl
    http://www.rumbgeo.ru
    http://www.rweb.ru
    http://www.scli.ru
    http://www.sdsauto.ru
    http://www.sensi.com
    http://www.silesianet.pl
    http://www.sjgreatdeals.com
    http://www.sposob.ru
    http://www.strefa.pl
    http://www.tanzen-in-sh.de
    http://www.taom-clan.de
    http://www.tayles.com
    http://www.teatr-estrada.ru
    http://www.teleline.ru
    http://www.thepositivesideofsports.com
    http://www.timelessimages.com
    http://www.tuhart.net
    http://www.vconsole.net
    http://www.vendex.ru
    http://www.virtmemb.com
    http://www.vivamedia.ru
    http://www.vrack.net
    http://www.wapf.com
    http://www.webpark.pl
    http://www.webronet.com
    http://www.webzdarma.cz
    http://www.yarcity.ru
    http://www.youbuynow.com
    http://www.zeiss.ru
    http://www.zelnet.ru
    http://www.zhp.gdynia.pl
    http://wynnsjammer.proboards18.com
    http://yaguark.h10.ru

    This so-called JPG file is, in fact, an EXE file containing another component of the worm.
  • If the computer was affected by any variant of the worm Netsky, Bagle.AM prevents them from being run when Windows is started.

Infection strategy 

The EXE file hidden in the ZIP file creates the following files in the Windows system directory:

  • WINDIRECT.EXE, which is a copy of the downloader, and it is 14,848 bytes in size.
  • _DLL.EXE. This file is a DLL (Dynamic Link Library), which ends processes and downloads another component of the worm. It is 11,776 bytes in size.

The EXE file downloaded from the websites creates the files WINDLL.EXE, WINDLL.EXEOPEN and WINDLL.EXEOPENOPEN in the Windows system directory. These files are copies of the worm, and are 19,460 bytes in size.

 

The EXE file hidden in the ZIP file creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    win_upd2.exe = %sysdir%\ WINdirect.exe

    where %sysdir% is the Windows system directory.

    If it cannot create this entry, it attempts to create the following:

    HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    win_upd2.exe = %sysdir%\ WINdirect.exe

    By creating these entries, Bagle.AM ensures that it is run whenever Windows is started.

The EXE file downloaded from the Internet creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Ru1n
    erthgdr = %sysdir%\ windll.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Ru1n
    erthgdr = %sysdir%\ windll.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ DownloadManager

Bagle.AM deletes from the following paths in the Windows Registry:

HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run

all the entries with any of the following names:

9XHtProtect
Antivirus
EasyAV
FirewallSvr
HtProtect
ICQ Net
ICQNet
Jammer2nd
KasperskyAVEng
MsInfo
My AV
NetDy
Norton Antivirus AV
PandaAVEngine
service
SkynetsRevenge
Special Firewall Service
SysMonXP
Tiny AV
Zone Labs Client Ex

These entries belong to several variants of the worm Netsky.

Means of transmission 

Bagle.AM spreads via email and through peer-to-peer (P2P) file sharing programs.

1.- Transmission via email.

Bagle.AM follows the routine below:

  • It reaches the computer in an email message with the following characteristics:

    Sender:
    Bagle.AM spoofs the email address from which it is sent, which may cause confusion. For further information, click here.

    Subject: it is empty.

    Message:
    new price

    Attachments: one of the following:
    08_PRICE.ZIP
    NEW__PRICE.ZIP
    NEW_PRICE.ZIP
    NEWPRICE.ZIP
    PRICE.ZIP
    PRICE_08.ZIP
    PRICE_NEW.ZIP
    PRICE2.ZIP

    This attached file contains an HTML file, and a hidden EXE file.
  • The computer is affected when the user decompresses the attached file and runs the HTML file inside, and then, the hidden executable file is automatically launched.
  • Bagle.AM searches for email addresses in files with any of the following extensions: ADB, ASP, CFG, CGI, DBX, DHTM, EML, HTM, JSP, MBX, MDX, MHT, MMF, MSG, NCH, ODS, OFT, PHP, PL, SHT, SHTM, STM, TBB, TXT, UIN, WAB, WSH, XLS and XML.
  • Then, it sends itself out to the addresses it has gathered, using its own SMTP engine.
  • However, it does not itself to those addresses that contain any of the following text strings:
    @avp., @foo, @iana, @messagelab, @microsoft, abuse, admin, anyone@, bsd, bugs@, cafee, certific, contract@, feste, free-av, f-secur, gold-certs@, google, help@, icrosoft, info@, kasp, linux, listserv, local, news, nobody@, noone@, noreply, ntivi, panda, pgp, postmaster@, rating@, root@, samples, sopho, spam, support, unix, update, winrar and winzip.

 

2.- Transmission through P2P file sharing programs.

Bagle.AM follows the routine below:

  • It creates copies of itself in the shared directories of these programs (KaZaA, KaZaA Lite, eDonkey2000, Gnucleus, Limewire, Morpheus, Grokster, etc).
  • The copies of Bagle.AM have the following enticing names:
    ACDSee 9.exe
    Adobe Photoshop 9 full.exe
    Ahead Nero 7.exe
    Kaspersky Antivirus 5.0
    KAV 5.0
    Matrix 3 Revolution English Subtitles.exe
    Microsoft Office 2003 Crack, Working!.exe
    Microsoft Office XP working Crack, Keygen.exe
    Microsoft Windows XP, WinXP Crack, working Keygen.exe
    Opera 8 New!.exe
    Porno pics arhive, xxx.exe
    Porno Screensaver.scr
    Porno, sex, oral, anal cool, awesome!!.exe
    Serials.txt.exe
    WinAmp 5 Pro Keygen Crack Update.exe
    WinAmp 6 New!.exe
    Windown Longhorn Beta Leak.exe
    Windows Sourcecode update.doc.exe
    XXX hardcore images.exe
  • Other users of these programs can remotely access these shared directories. This way, they voluntarily download these files to their computers, thinking that they are useful computer programs, movies, etc. However, they will actually download a copy of the worm to their computers.
  • When the downloaded file is run, such computers will be affected by Bagle.AM.

Further Details  

The fake JPG file downloaded from the Internet is compressed with modified PeX.

>

>