Bagle C Worm

[Worldlife]

Another Bagle notified by EZ today by email - seems a nasty one!!!

Virus Alert Notification

Win32.Bagle.C Worm

Alias: W32/Bagle.c@MM, WORM_BAGLE.C
Category: Win32
Type: Worm
Published Date: 2/27/2004
Last Modified: 2/27/2004

CHARACTERISTICS
Win32.Bagle.C is an Internet worm that spreads via e-mail. The worm is a 15,872-byte UPX-compressed Win32 executable.

Method of Installation
When executed, Bagle.C copies itself to the %System% directory as README.EXE. This file uses Microsoft Excel icon.

It adds the following registry key to ensure that the worm is executed at Windows start:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \gouday.exe = "%System%\readme.exe"

Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is CWinnt\System32; for 95,98 and ME is CWindows\System; and for XP is CWindows\System32.

These files are also created:

%System%\ONDE.EXE (worm component that contains emailing routine)
%System%\DOC.EXE (worm component to load system DLL)
%System%\readme.exeopen (zip file used as mail attachment, contains the worm with random filename)

The worm creates a mutex "imain_mutex".

Method of Distribution
Via E-mail
Bagle spreads via e-mail using its own SMTP engine. It generates a list of addresses to send itself to by scanning and searching files with the following extension on the affected system:

.wab
.txt
.htm
.html
.dbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.adb
.sht

It also uses these addresses in both the 'From' and the 'To' address.

While scanning the worm will avoid any addresses containing the following strings:

.ch
@hotmail.com
@msn.com
@microsoft
@avp.
noreply
local
root@
postmaster@

Presumably, this is done to avoid immediate detection.

Possible subject line with "FW:" or "FW: RE:" followed by one of the string bellow:

Price
New Price-list
Hardware devices price-list
Weekly activity report
Daily activity report
Maria
Jenny
Jessica
Registration confirmation
USA government abolishes the capital punishment
Freedom for everyone
Flayers among us
From Hair-cutter
Melissa
Camila
Price-list
Pricelist
Price list
Hello my friend
Hi!
Well...
Greet the day
The account
Looking for the report
You really love me? he he
You are dismissed
Accounts department
From me
Monthly incomings summary
The summary
Proclivity to servitude
Ahtung!
The employee

The email attachment uses random letters with an .ZIP file extension.


Payload

Backdoor Functionality
The worm may listen on TCP port 2745 to accept incoming connections from a remote user. It gives the controller unauthorized access to an affected machine, allowing them to take such actions as running an executable of the remote user's choice.

It also attempts to contact particular web sites and supplies the open TCP port number and the infected system ID:

http: // permail.uni-muenster.de/
http: // www. songtext.net/de/
http: // www. sportscheck.de/


Terminates Processes

The worm terminates the following processes if found on the affected system:

ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE


Additional Information

The worm also creates the following registry values:

HKCU\SOFTWARE\DateTime2\uid
HKCU\SOFTWARE\DateTime2\port
HKCU\SOFTWARE\DateTime2\frun

If the worm is executed after the date 14th of March 2004, the worm removes the registry key and values it created. It then attempt to invoke its uninstall routine with switch "-del".

Analysis by Sha-Li Hsieh