Sometimes malware variants are quite selfish. Not long ago we came across a variant that downloaded a virus scanner, to gain full control of the pc's resources. Today we are going to talk about cooperation. And how different variants can be combined. 

As we have mentioned before, malware is becoming more and more complex, and each time tries to use new ways of infection. 2007 is going to be the year of rootkits, so we must get ready  for them.

It all begins with a Rootkit, which is used to hide a Mitglieder variant. It hides the Mitglieder process and the folder where it is installed. Then, behind the curtains, it installs a Bagle worm, and activates it. The registry is modified to run the Bagle each time Windows is launched.

The Bagle creates the next registry entries. But of course this values may change over time:
HKEY_CURRENT_USERSoftwareDateTime4
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “german.exe”

We can find a copy of the bagle here C:WINDOWSSystem32Wintems.exe

The bagle is encripted, but if we take a look inside we can find this information. It tries to connect to a whole lot of url, but we have found that it prefers ".ru" and ".de" top level domains.

Here is a small sample of them:
http://xxxxxxxxx.ru/prog/img/proizvod/news.php
http://xxxxxxxxx.ru/p/lang/CVS/news.php
http://www.xxxxxxxxx.de/_themes/kopie-von-fantasie-in-blau/news.php
http://www.xxxxxxx.de/karten/news.php
http://www.xxxxxxxxxx.net/mysql_admin_new/images/news.php
http://xxxxxxxxxxxx.com/images/news.php
http://xxxxxxxxxx.biz/images/news.php
http://xxxxxxxxxxx.cz/html/fanklub/news.php
http://xxxxxxxxx.cz/distro/blst.php

If the connection is successful it creates a file c:WINDOWSsystem32ban_list.txt and places there a list of ip, which are the mail server's ip which the Bagle uses to spread. Each connection adds new ips to the file. Here it is a sample. Of course we are not going to publish the whole list…

[Imageattachment]