Effects
The expiration date of Bagle.BK is April 25, 2006. After this date, the worm will automatically stop its execution when it activates. Until then, it carries out the following actions on Windows XP/2000/NT computers only:
- It ends the following processes, if they are active in memory:
alogserv.exe, APVXDWIN.EXE, ATUPDATER.EXE, AUPDATE.EXE, AUTODOWN.EXE, AUTOTRACE.EXE, AUTOUPDATE.EXE, Avconsol.exe, AVENGINE.EXE, AVPUPD.EXE, Avsynmgr.exe, AVWUPD32.EXE, AVXQUAR.EXE, bawindo.exe, blackd.exe, ccApp.exe, ccEvtMgr.exe, ccProxy.exe, ccPxySvc.exe, CFIAUDIT.EXE, DefWatch.exe, DRWEBUPW.EXE, ESCANH95.EXE, ESCANHNT.EXE, FIREWALL.EXE, FrameworkService.exe, ICSSUPPNT.EXE, ICSUPP95.EXE, LUALL.EXE, LUCOMS~1.EXE, mcagent.exe, mcshield.exe, MCUPDATE.EXE, mcvsescn.exe, mcvsrte.exe, mcvsshld.exe, navapsvc.exe, navapw32.exe, NISUM.EXE, nopdb.exe, NPROTECT.EXE, NUPGRADE.EXE, OUTPOST.EXE, PavFires.exe, pavProxy.exe, pavsrv50.exe, Rtvscan.exe, RuLaunch.exe, SAVScan.exe, SHSTAT.EXE, SNDSrvc.exe, symlcsvc.exe, UPDATE.EXE, UpdaterUI.exe, Vshwin32.exe, VsStat.exe and VsTskMgr.exe.
Some of these processes belong to security tools, such as several antivirus programs and firewalls, which leaves the affected computer vulnerable to the attack of other malware.
On the other hand, some other processes in that list belong to other malware. - It connects to several web pages in order to download a fake JPG file, that will be saved in the Windows system directory as RE_FILE.EXE:
http://www.pyrlandia-boogie.pl/<blocked>.jpg
http://www.kps4parents.com/<blocked>.jpg
http://www.pipni.cz/<blocked>.jpg
http://www.selu.edu/<blocked>.jpg
http://www.travelchronic.de/<blocked>.jpg
http://www.fleigutaetscher.ch/<blocked>.jpg
http://www.irakli.org/<blocked>.jpg
http://www.oboe-online.com/<blocked>.jpg
http://www.oboe-online.com/<blocked>.jpg
http://www.pe-sh.com/<blocked>.jpg
http://www.idb-group.net/<blocked>.jpg
http://www.ceskyhosting.cz/<blocked>.jpg
http://www.ceskyhosting.cz/<blocked>.jpg
http://www.hartacorporation.com/<blocked>.jpg
http://www.glass.la/<blocked>.jpg
http://www.glass.la/<blocked>.jpg
http://www.24-7-transportation.com/<blocked>.jpg
http://www.fepese.ufsc.br/<blocked>.jpg
http://www.ellarouge.com.au/<blocked>.jpg
http://www.bbsh.org/<blocked>.jpg
http://www.boneheadmusic.com/<blocked>.jpg
http://www.sljinc.com/<blocked>.jpg
http://www.tivogoddess.com/<blocked>.jpg
http://www.fcpages.com/<blocked>.jpg
http://www.szantomierz.art.pl/<blocked>.jpg
http://www.elenalazar.com/<blocked>.jpg
http://www.generationnow.net/<blocked>.jpg
http://www.flashcorp.com/<blocked>.jpg
http://www.kencorbett.com/<blocked>.jpg
http://www.FritoPie.NET/<blocked>.jpg
http://www.leonhendrix.com/<blocked>.jpg
http://www.transportation.gov.bh/<blocked>.jpg
http://www.transportation.gov.bh/<blocked>.jpg
http://www.jhaforpresident.7p.com/<blocked>.jpg
http://www.DarrkSydebaby.com/<blocked>.jpg
http://www.cntv.info/<blocked>.jpg
http://www.sugardas.lt/<blocked>.jpg
http://www.adhdtests.com/<blocked>.jpg
http://www.argontech.net/<blocked>.jpg
http://www.customloyal.com/<blocked>.jpg
http://www.ohiolimo.com/<blocked>.jpg
http://www.topko.sk/<blocked>.jpg
http://www.ssmifc.ca/<blocked>.jpg
http://www.reliance-yachts.com/<blocked>.jpg
http://www.worest.com.ar/<blocked>.jpg
http://www.kps4parents.com/<blocked>.jpg
http://www.coolfreepages.com/<blocked>.jpg
http://www.scanex-medical.fi/<blocked>.jpg
http://www.jimvann.com/<blocked>.jpg
http://www.orari.net/<blocked>.jpg
http://www.himpsi.org/<blocked>.jpg
http://www.mtfdesign.com/<blocked>.jpg
http://www.jldr.ca/<blocked>.jpg
http://www.relocationflorida.com/<blocked>.jpg
http://www.rentalstation.com/<blocked>.jpg
http://www.approved1stmortgage.com/<blocked>.jpg
http://www.velezcourtesymanagement.com/<blocked>.jpg
http://www.sunassetholdings.com/<blocked>.jpg
http://www.compsolutionstore.com/<blocked>.jpg
http://www.uhcc.com/<blocked>.jpg
http://www.justrepublicans.com/<blocked>.jpg
http://www.pfadfinder-leobersdorf.com/<blocked>.jpg
http://www.featech.com/<blocked>.jpg
http://www.vinirforge.com/<blocked>.jpg
http://www.magicbottle.com.tw/<blocked>.jpg
http://www.giantrevenue.com/<blocked>.jpg
http://www.couponcapital.net/<blocked>.jpg
http://www.crystalrose.ca/<blocked>.jpg
http://www.bottombouncer.com/<blocked>.jpg
http://www.anthonyflanagan.com/<blocked>.jpg
http://www.bradster.com/<blocked>.jpg
http://www.traverse.com/<blocked>.jpg
http://www.ims-i.com/<blocked>.jpg
http://www.realgps.com/<blocked>.jpg
http://www.aviation-center.de/<blocked>.jpg
http://www.gci-bln.de/<blocked>.jpg
http://www.pankration.com/<blocked>.jpg
http://www.jansenboiler.com/<blocked>.jpg
http://www.corpsite.com/<blocked>.jpg
http://www.everett.wednet.edu/<blocked>.jpg
http://www.onepositiveplace.org/<blocked>.jpg
http://www.raecoinc.com/<blocked>.jpg
http://www.wwwebad.com/<blocked>.jpg
http://www.corpsite.com/<blocked>.jpg
http://www.wwwebmaster.com/<blocked>.jpg
http://www.wwwebad.com/<blocked>.jpg
http://www.dragcar.com/<blocked>.jpg
http://www.wwwebad.com/<blocked>.jpg
http://www.oohlala-kirkland.com/<blocked>.jpg
http://www.calderwoodinn.com/<blocked>.jpg
http://www.buddyboymusic.com/<blocked>.jpg
http://www.smacgreetings.com/<blocked>.jpg
http://www.tkd2xcell.com/<blocked>.jpg
http://www.curtmarsh.com/<blocked>.jpg
http://www.dontbeaweekendparent.com/<blocked>.jpg
http://www.soloconsulting.com/<blocked>.jpg
http://www.lasermach.com/<blocked>.jpg
http://www.alupass.lu/<blocked>.jpg
http://www.sigi.lu/<blocked>.jpg
http://www.redlightpictures.com/<blocked>.jpg
http://www.irinaswelt.de/<blocked>.jpg
http://www.bueroservice-it.de/<blocked>.jpg
http://www.kranenberg.de/<blocked>.jpg
http://www.kranenberg.de/<blocked>.jpg
http://www.the-fabulous-lions.de/<blocked>.jpg
http://www.the-fabulous-lions.de/<blocked>.jpg
http://www.mongolische-renner.de/<blocked>.jpg
http://www.mongolische-renner.de/<blocked>.jpg
http://www.capri-frames.de/<blocked>.jpg
http://www.capri-frames.de/<blocked>.jpg
http://www.aimcenter.net/<blocked>.jpg
http://www.boneheadmusic.com/<blocked>.jpg
http://www.fludir.is/<blocked>.jpg
http://www.sljinc.com/<blocked>.jpg
http://www.tivogoddess.com/<blocked>.jpg
http://www.fcpages.com/<blocked>.jpg
http://www.andara.com/<blocked>.jpg
http://www.freeservers.com/<blocked>.jpg
http://www.programmierung2000.de/<blocked>.jpg
http://www.asianfestival.nl/<blocked>.jpg
http://www.aviation-center.de/<blocked>.jpg
http://www.gci-bln.de/<blocked>.jpg
http://www.mass-i.kiev.ua/<blocked>.jpg
http://www.jasnet.pl/<blocked>.jpg
http://www.atlantisteste.hpg.com.br/<blocked>.jpg
http://www.fludir.is/<blocked>.jpg
http://www.rieraquadros.com.br/<blocked>.jpg
http://www.metal.pl/<blocked>.jpg
http://www.handsforhealth.com/<blocked>.jpg
http://www.angelartsanctuary.com/<blocked>.jpg
http://www.firstnightoceancounty.org/<blocked>.jpg
http://www.chinasenfa.com/<blocked>.jpg
http://www.chinasenfa.com/<blocked>.jpg
http://www.ulpiano.org/<blocked>.jpg
http://www.gamp.pl/<blocked>.jpg
http://www.vikingpc.pl/<blocked>.jpg
http://www.woundedshepherds.com/<blocked>.jpg
http://www.cpc.adv.br/<blocked>.jpg
http://www.velocityprint.com/<blocked>.jpg
http://www.esperanzaparalafamilia.com/<blocked>.jpg
http://www.celula.com.mx/<blocked>.jpg
http://www.mexis.com/<blocked>.jpg
http://www.wecompete.com/<blocked>.jpg
http://www.vbw.info/<blocked>.jpg
http://www.gfn.org/<blocked>.jpg
http://www.aegee.org/<blocked>.jpg
http://www.deadrobot.com/<blocked>.jpg
http://www.cscliberec.cz/<blocked>.jpg
http://www.ecofotos.com.br/<blocked>.jpg
http://www.amanit.ru/<blocked>.jpg
http://www.bga-gsm.ru/<blocked>.jpg
http://www.innnewport.com/<blocked>.jpg
http://www.knicks.nl/<blocked>.jpg
http://www.srg-neuburg.de/<blocked>.jpg
http://www.mepmh.de/<blocked>.jpg
http://www.mepbisu.de/<blocked>.jpg
http://www.kradtraining.de/<blocked>.jpg
http://www.polizeimotorrad.de/<blocked>.jpg
http://www.sea.bz.it/<blocked>.jpg
http://www.uslungiarue.it/<blocked>.jpg
http://www.gcnet.ru/<blocked>.jpg
http://www.aimcenter.net/<blocked>.jpg
http://www.vandermost.de/<blocked>.jpg
http://www.vandermost.de/<blocked>.jpg
http://www.szantomierz.art.pl/<blocked>.jpg
http://www.immonaut.sk/<blocked>.jpg
http://www.eurostavba.sk/<blocked>.jpg
http://www.spadochron.pl/<blocked>.jpg
Infection strategy
Bagle.BK creates the following files in the Windows system directory:
Bagle.BK creates the following entries in the Windows Registry:
- HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
sysformat = %sysdir%\ sysformat.exe
where %sysdir% is the Windows system directory.
By creating this entry, Bagle.BK ensures that it is run whenever Windows is started. - HKEY_CURRENT_USER\ Software\ Microsoft\ Params
TimeKey
Bagle.BK uses this entry as an infection mark, in order to check if it has already affected the computer.
Bagle.BK deletes the following entries in the Windows Registry, if they exist:
- It deletes from the paths below:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
the entries with any of the following names:
My AV
ICQ Net
By doing so, Bagle.BK prevents several variants of the worm Netsky from being run automatically whenever Windows is started.
Means of transmission
Bagle.BK spreads via e-mail and through peer-to-peer (P2P) file sharing programs.
1.- Transmission via e-mail.
Bagle.BK follows the routine below:
It reaches the computer in a message with variable characteristics:
Sender:
Bagle.BK spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click
here.
Subject: one of the following:
Delivery service mail
Registration is accepted
Is delivered mail
You are made active
Message: any of the following:
Thanks for use of our software.
Before use read the help
- Attachments: it has variable name and extension:
Possible names: WSD01, VIUPD2, SIUPD02, GUUPD02, ZUPD02, UPD02, JOL03.
Possible extensions: EXE, SCR, COM and CPL.
The icon of the attachment is randomly chosen from the ones found in the computer that sends the message. - The computer is affected when the attached file is run.
- Bagle.BK searches for e-mail addresses in files with the following extensions: ADB, ASP, CFG, CGI, DBX, DHTM, EML, HTM, JSP, MBX, MDX, MHT, MMF, MSG, NCH, ODS, OFT, PHP, PL, SHT, SHTM, STM, TBB, TXT, UIN, WAB, WSH, XLS and XML.
- Bagle.BK sends itself out to all the addresses it has gathered, using its own SMTP engine.
- However, Bagle.BK will not spread to those addresses containing any of the following text strings:
@avp., @foo, @iana, @messagelab, @microsoft, abuse, admin, anyone@, bsd, bugs@, cafee, certific, contract@, feste, free-av, f-secur, gold-certs@, google, help@, icrosoft, info@, kasp, linux, listserv, local, news, nobody@, noone@, noreply, ntivi, panda, pgp, postmaster@, rating@, root@, samples, sopho, spam, support, unix, update, winrar, winzip.
2.- Transmission through file sharing programs.
Bagle.BK carries out the following routine:
- It creates copies of itself in all the directories containing the text string shar in their name. By doing so, Bagle.BK attempts to copy itself to the shared directories of P2P programs.
- These copies have the following file names:
1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Opera 8 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
XXX hardcore images.exe - Other users these programs can access the shared directories and download the files to their computers, thinking that they are useful computer programs, movies, pictures, etc. However, these users will actually download a copy of the worm.
- When the downloaded file is run, these computers will be affected by Bagle.BK.
Further Details
Bagle.BK is 19,668 bytes in size, and it is compressed with PeX.
Bagle.BK creates any of the following mutexes, in order to prevent to copies of itself from being run at the same time:
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
The names of these mutexes have been chosen so that Bagle.BK also prevents several variants of Netsky from being run.
>