Bagle.BC
Threat LevelDamageDistribution

Effects 

Bagle.BC carries out the following actions:

• It listens to the TCP port 81, waiting for remote connections in order to carry out actions that would compromise user's confidentiality or impede normal work.
• It ends the following processes, if they are active in memory:
  
  alogserv.exe, APVXDWIN.EXE, ATUPDATER.EXE, AUPDATE.EXE, AUTODOWN.EXE, AUTOTRACE.EXE, AUTOUPDATE.EXE, Avconsol.exe, AVENGINE.EXE, AVPUPD.EXE, Avsynmgr.exe, AVWUPD32.EXE, AVXQUAR.EXE, blackd.exe, ccApp.exe, ccEvtMgr.exe, ccProxy.exe, ccPxySvc.exe, CFIAUDIT.EXE, DefWatch.exe, DRWEBUPW.EXE, ESCANH95.EXE, ESCANHNT.EXE, FIREWALL.EXE, FrameworkService.exe, ICSSUPPNT.EXE, ICSUPP95.EXE, LUALL.EXE, LUCOMS~1.EXE, mcagent.exe, mcshield.exe, MCUPDATE.EXE, mcvsescn.exe, mcvsrte.exe, mcvsshld.exe, navapsvc.exe, navapw32.exe, NISUM.EXE, nopdb.exe, NPROTECT.EXE, NUPGRADE.EXE, OUTPOST.EXE, PavFires.exe, pavProxy.exe, pavsrv50.exe, Rtvscan.exe, RuLaunch.exe, SAVScan.exe, SHSTAT.EXE, SNDSrvc.exe, symlcsvc.exe, UPDATE.EXE, UpdaterUI.exe, Vshwin32.exe, VsStat.exe and VsTskMgr.exe.
  These processes belong to security tools, such as antivirus programs, among others, and ending them leaves the affected computer vulnerable to the attack of other malware.
• It attempts to download a file called G.JPG from any of the following websites:
  
  http://www.24-7-transportation.com
  http://www.adhdtests.com
  http://www.aegee.org
  http://www.aimcenter.net
  http://www.alupass.lu
  http://www.amanit.ru
  http://www.andara.com
  http://www.angelartsanctuary.com
  http://www.anthonyflanagan.com
  http://www.approved1stmortgage.com
  http://www.argontech.net
  http://www.asianfestival.nl
  http://www.atlantisteste.hpg.com.br
  http://www.aviation-center.de
  http://www.bbsh.org
  http://www.bga-gsm.ru
  http://www.boneheadmusic.com
  http://www.bottombouncer.com
  http://www.bradster.com
  http://www.buddyboymusic.com
  http://www.bueroservice-it.de
  http://www.calderwoodinn.com
  http://www.capri-frames.de
  http://www.celula.com.mx
  http://www.ceskyhosting.cz
  http://www.chinasenfa.com
  http://www.cntv.info
  http://www.compsolutionstore.com
  http://www.coolfreepages.com
  http://www.corpsite.com
  http://www.corpsite.com
  http://www.couponcapital.net
  http://www.cpc.adv.br
  http://www.crystalrose.ca
  http://www.cscliberec.cz
  http://www.curtmarsh.com
  http://www.customloyal.com
  http://www.DarrkSydebaby.com
  http://www.deadrobot.com
  http://www.dontbeaweekendparent.com
  http://www.dragcar.com
  http://www.ecofotos.com.br
  http://www.elenalazar.com
  http://www.ellarouge.com.au
  http://www.esperanzaparalafamilia.com
  http://www.eurostavba.sk
  http://www.everett.wednet.edu
  http://www.fcpages.com
  http://www.featech.com
  http://www.fepese.ufsc.br
  http://www.firstnightoceancounty.org
  http://www.flashcorp.com
  http://www.fleigutaetscher.ch
  http://www.fludir.is
  http://www.freeservers.com
  http://www.FritoPie.NET
  http://www.gamp.pl
  http://www.gci-bln.de
  http://www.gcnet.ru
  http://www.generationnow.net
  http://www.gfn.org
  http://www.giantrevenue.com
  http://www.glass.la
  http://www.handsforhealth.com
  http://www.hartacorporation.com
  http://www.himpsi.org
  http://www.idb-group.net
  http://www.immonaut.sk
  http://www.ims-i.com
  http://www.innnewport.com
  http://www.irakli.org
  http://www.irinaswelt.de
  http://www.jansenboiler.com
  http://www.jasnet.pl
  http://www.jhaforpresident.7p.com
  http://www.jimvann.com
  http://www.jldr.ca
  http://www.justrepublicans.com
  http://www.kencorbett.com
  http://www.knicks.nl
  http://www.kps4parents.com
  http://www.kradtraining.de
  http://www.kranenberg.de
  http://www.lasermach.com
  http://www.leonhendrix.com
  http://www.magicbottle.com.tw
  http://www.mass-i.kiev.ua
  http://www.mepbisu.de
  http://www.mepmh.de
  http://www.metal.pl
  http://www.mexis.com
  http://www.mongolische-renner.de
  http://www.mtfdesign.com
  http://www.oboe-online.com
  http://www.ohiolimo.com
  http://www.onepositiveplace.org
  http://www.oohlala-kirkland.com
  http://www.orari.net
  http://www.pankration.com
  http://www.pe-sh.com
  http://www.pfadfinder-leobersdorf.com
  http://www.pipni.cz
  http://www.polizeimotorrad.de
  http://www.programmierung2000.de
  http://www.pyrlandia-boogie.pl
  http://www.raecoinc.com
  http://www.realgps.com
  http://www.redlightpictures.com
  http://www.reliance-yachts.com
  http://www.relocationflorida.com
  http://www.rentalstation.com
  http://www.rieraquadros.com.br
  http://www.scanex-medical.fi
  http://www.sea.bz.it
  http://www.selu.edu
  http://www.sigi.lu
  http://www.sljinc.com
  http://www.smacgreetings.com
  http://www.soloconsulting.com
  http://www.spadochron.pl
  http://www.srg-neuburg.de
  http://www.ssmifc.ca
  http://www.sugardas.lt
  http://www.sunassetholdings.com
  http://www.szantomierz.art.pl
  http://www.the-fabulous-lions.de
  http://www.tivogoddess.com
  http://www.tkd2xcell.com
  http://www.topko.sk
  http://www.transportation.gov.bh
  http://www.travelchronic.de
  http://www.traverse.com
  http://www.uhcc.com
  http://www.ulpiano.org
  http://www.uslungiarue.it
  http://www.vandermost.de
  http://www.vbw.info
  http://www.velezcourtesymanagement.com
  http://www.velocityprint.com
  http://www.vikingpc.pl
  http://www.vinirforge.com
  http://www.wecompete.com
  http://www.worest.com.ar
  http://www.woundedshepherds.com
  http://www.wwwebad.com
  http://www.wwwebmaster.com
  

Infection strategy 

Bagle.BC creates the following files, which are copies of the worm, in the Windows system directory:

• WINGO.EXE.
• WINGO.EXEOPEN.
• WINGO.EXEOPENOPEN.

Bagle.BC creates the following entry in the Windows Registry:

• HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  wingo= %sysdir%\ wingo.exe
  where %sysdir% is the Windows system directory.
  By creating this entry, Bagle.BC ensures that it is run whenever Windows is started.

Bagle.BC deletes from the Windows Registry entries belonging to other worms, specially those belonging to several variants of Netsky. It searches in the following paths:

HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run

for entries with the text strings below:
9XHtProtect, Antivirus, EasyAV, FirewallSvr, HtProtect, ICQ Net, ICQNet, Jammer2nd, KasperskyAVEng, MsInfo, My AV, NetDy, Norton Antivirus AV, PandaAVEngine, service, SkynetsRevenge, Special Firewall Service, SysMonXP, Tiny AV, Zone Labs Client Ex.

By doing so, Bagle.BC ensures that these worms are not executed whenever Windows is started.

Means of transmission 

Bagle.BC spreads via e-mail and through peer-to-peer (P2P) file sharing programs.

1.- Transmission via e-mail.

Bagle.BC follows the routine below:

• It reaches the computer in a message with variable characteristics:
  
  Sender:
  Bagle.BC spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.
  
  Subject: one of the following:
  Re:
  Re:Hello
  Re:Hi
  Re:Thank you!
  Re:Thanks:)
  
  Message: any of the following:
  :)
  :))
  
  Attachments: it has variable name and extension:
  Possible names: JOKE, PRICE.
  Possible extensions: COM, CPL, EXE, SCR.
• The computer will be affected once the attached file is run.
• Bagle.BC searches for e-mail addresses containing the following extensions: ADB, ASP, CFG, CGI, DBX, DHTM, EML, HTM, JSP, MBX, MDX, MHT, MMF, MSG, NCH, ODS, OFT, PHP, PL, SHT, SHTM, STM, TBB, TXT, UIN, WAB, WSH, XLS and XML.
• Bagle.BC sends itself out to all the addresses it has gathered, using its own SMTP engine.
• However, Bagle.BC will not spread to those addresses containing any of the following text strings:
  @avp., @foo, @hotmail, @iana, @messagelab, @microsoft, @msn, abuse, admin, anyone@, bsd, bugs@, cafee, certific, contract@, feste, free-av, f-secur, gold-certs@, google, help@, icrosoft, info@, kasp, linux, listserv, local, news, nobody@, noone@, noreply, ntivi, panda, pgp, postmaster@, rating@, root@, samples, sopho, spam, support, unix, update, winrar, winzip.

2.- Transmission through file sharing programs.

Bagle.BC carries out the following routine:

• It creates copies of itself in directories with a name that contains the text string shar. By doing so, it attempts to copy itself to the shared directories of P2P file sharing programs. It uses the following file names:
  ACDSee 9.exe
  Adobe Photoshop 9 full.exe
  Ahead Nero 7.exe
  Kaspersky Antivirus 5.0
  KAV 5.0
  Matrix 3 Revolution English Subtitles.exe
  Microsoft Office 2003 Crack, Working!.exe
  Microsoft Office XP working Crack, Keygen.exe
  Microsoft Windows XP, WinXP Crack, working Keygen.exe
  Opera 8 New!.exe
  Porno pics arhive, xxx.exe
  Porno Screensaver.scr
  Porno, sex, oral, anal cool, awesome!!.exe
  Serials.txt.exe
  WinAmp 5 Pro Keygen Crack Update.exe
  WinAmp 6 New!.exe
  Windown Longhorn Beta Leak.exe
  Windows Sourcecode update.doc.exe
  XXX hardcore images.exe
  
• Other users these programs can access the shared directories and download the files to their computers, thinking that they are useful computer programs, movies, pictures, etc. However, these users will actually download a copy of the worm.
• When the downloaded file is run, these computers will be affected by Bagle.BC.

Further Details  

Bagle.BC is between 18 and 22 Kbytes in size, and it is compressed with PeX.

In addition, Bagle.BC creates a mutex in order to prevent two copies of the worm from being run at the same time. It uses any of the following names in order to prevent variants of Netsky from being executed:

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D

'D',r',o',p',p',e',d',S'k',y',N',e',t'

_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_

[SkyNet.cz]SystemsMutex

AdmSkynetJklS003

____--->>>>U<<<<--____

_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_