Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Email Worms

Email-Worm.Win32.Bagle.at

Other versions: .a, .aa, .ah, .ai, .al, .an, .ao, .as, .au, .ax, .ay, .b, .bb, .bj, .bn, .bo, .c, .cc, .ch, .cl, .cy, .d, .da, .dx, .e, .eb, .ef, .eg, .ek, .f, .fb, .fj, .fm, .fy, .gm, .gt, .i, .j, .k, .l, .m, .n, .p, .q, .r, .s, .t, .y, .z

Aliases
Email-Worm.Win32.Bagle.at (Kaspersky Lab) is also known as: I-Worm.Bagle.at (Kaspersky Lab), W32/Bagle.bd@MM (McAfee),   W32.Beagle@mm!cpl (Symantec),   Win32.HLLM.Beagle.18848 (Doctor Web),   W32/Bagle-AU (Sophos),   Win32/Bagle.BD@mm (RAV),   WORM_BAGLE.AU (Trend Micro),   Worm/Bagle.AT (H+BEDV),   W32/Bagle.AQ@mm (FRISK),   Win32:Beagle-AS (ALWIL),   I-Worm/Bagle.AZ (Grisoft),   Win32.Bagle.AY@mm (SOFTWIN),   Worm.Bagle.AU (ClamAV),   W32/Bagle.BK.worm (Panda),   Win32/Bagle.AU (Eset)
Detection added Oct 29 2004
Description added Oct 29 2004
CME-ID CME-473
Behavior Email Worm

Technical details

Bagle.at is a worm that spreads as an attachment to an infected email. The worm harvests addresses from the local address book and installs a proxy server.

Bagle.at spreads either as Windows PE EXE file or a Windows Control Panel Applet (CPL) file, both about 20 KB in size. The worm is packed with PeX; the unpacked size is about 30 KB.

Installation

When spreading as a Windows PE EXE file, Bagle.at creates copies of itself under one of the following names:

C:\WINDOWS\SYSTEM32\wingo.exe
C:\WINDOWS\SYSTEM32\wingo.exeopen
C:\WINDOWS\SYSTEM32\wingo.exeopenopen

And then registers this file in the System Registry autorun keys:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
 "wingo"="%system%\wingo.exe"

If Bagle.at arrives as a Windows Control Panel Applet (CPL) file, then it is a dropper. If the file is executed it copies itself into the Windows folder under the name cjector.exe. This file extracts the worm's body from itself and drops it into the System Registry.

Propagation via email

Bagle.at scans the local disk for files with the following extensions:

adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
 
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
 
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml

And sends copies of itself to any email addresses it finds. Bagle.at connects to the recipients SMTP server to send emails.

Bagle.at does not send copies to recipients where the address contains the following text strings:

@avp
@foo
@hotmail
@iana
@messagelab
@microsoft
@msn
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
 
feste
free-av
f-secur
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
 
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip

Infected Message Characteristics

Sender address:

Random

Subject:

Re:
Re: Hello
Re: Hi
Re: Thank you!
Re: Thanks :)

Attachment name:

Price
Joke

Attachment extensions:

com
cpl
exe
scr

Propagation via P2P

Bagle.at creates copies of itself in all folders where the word 'shar' is in the name. The file names are chosen at random from the list below:

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

Remote Administration

Bagle.at opens TCP port 81 and listens for further commands. For instance, the worm installs a proxy server that can be controlled via this port.

Other

Bagle.at attempts to connect to a number of compromised web sites to a file named g.jpg. The web sites were inaccessible at the time of writing.

The worm is coded to stop functioning on April 25, 2006.

Finally, Bagle.at attempts to block firewalls and antivirus solutions by stopping the following processes :

alogserv.exe
APVXDWIN.EXE
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
Avconsol.exe
AVENGINE.EXE
AVPUPD.EXE
Avsynmgr.exe
AVWUPD32.EXE
AVXQUAR.EXE
AVXQUAR.EXE
bawindo.exe
blackd.exe
ccApp.exe
ccEvtMgr.exe
ccProxy.exe
ccPxySvc.exe
CFIAUDIT.EXE
DefWatch.exe
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
FrameworkService.exe
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
LUCOMS~1.EXE
 
mcagent.exe
mcshield.exe
MCUPDATE.EXE
mcvsescn.exe
mcvsrte.exe
mcvsshld.exe
navapsvc.exe
navapsvc.exe
navapsvc.exe
navapw32.exe
NISUM.EXE
nopdb.exe
NPROTECT.EXE
NPROTECT.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
PavFires.exe
pavProxy.exe
pavsrv50.exe
Rtvscan.exe
RuLaunch.exe
SAVScan.exe
SHSTAT.EXE
SNDSrvc.exe
symlcsvc.exe
UPDATE.EXE
UpdaterUI.exe
Vshwin32.exe
VsStat.exe
VsTskMgr.exe
Removal instructions
  1. Reboot your machine in Safe Mode - Press and hold F8 while the machine is rebooting and choose Safe Mode from the menu when it appears.
  2. Delete the following files from Windows system folder:
    3. wingo.exe
wingo.exeopen 
wingo.exeopenopen
  3. Delete the following key from the Windows System Registry:
    4. [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
 "wingo"="%system%\wingo.exe"
  4. Reboot the computer and make sure that you have removed all infected emails from all folders in your email client.
 		 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com