Email-Worm.Win32.Bagle.gm

Alert Level :	Medium
Discovered:	Oct 02 2006
Tag:	E-mail Worms
Discoverer and Source:	http://www.kaspersky.com/

Malware Behavior and Technical Description

This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.

The worm is also able to download other files from the Internet without the user's knowledge or consent.

The worm itself is a Windows PE EXE file 95369 bytes in size.

Installation

Once launched, the worm causes an error message to be displayed in order to confuse the user.

When installing, the worm copies itself as hidn2.exe to the following directory:

%UserProfile%\Application Data\hidn\hidn2.exe

It also creates a file called m_hook.sys in the same directory.

The worm creates the following entry in the system registry:

[HKCU\Software\FirstRuxzx]
"FirstRun"="dword:00000001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"drv_st_key"="%UserProfile%\Application Data\hidn\hidn2.exe"

The worm deletes the following registry key, making it impossible to boot the victim machine in safe mode::

[HKLM\System\CurrentControlSet\Control\SafeBoot]

It also creates the following files:

%SystemDrive%\error.gif
%SystemDrive%\temp.zip

Propagation via email

The worm harvests addresses from files with the following extensions:

adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml

This Bagle variant is also able to download files which contain the email addresses of potential victims from the Internet. The worm contains the following lists of sites which it may download files from:

http://acce***le.cl/1/eml.php
http://am***dy.com/1/eml.php
http://avatare***atis.com/1/eml.php
http://be***lu.com.tr/1/eml.php
http://brand***ck.com/1/eml.php
http://c-***.com.au/1/eml.php
http://cam***mafra.sc.gov.br/1/eml.php
http://campos***ipamentos.com.br/1/eml.php
http://cbr***o.sos.pl/1/eml.php
http://coparefre***s.stantonstreetgroup.com/1/eml.php
http://creai***ire.com/1/eml.php
http://dese***i.com.br/1/eml.php
http://hotel***lba.com/1/eml.php
http://inca.d***solution.net/1/eml.php
http://veranm***ala.com/1/eml.php
http://wkligh***azwa.pl/1/eml.php
http://www.***npl.com/1/eml.php
http://www.aura***.com/1/eml.php
http://www.buy***ital.co.kr/1/eml.php
http://www.d***.cl/1/eml.php
http://www.disco***apuzzle.com/1/eml.php
http://www.in***file.gr/1/eml.php
http://www.tita***tors.com/images/1/eml.php
http://yon***n24.co.kr/1/eml.php

It will then send itself to all email addresses contained in files downloaded from the above addresses.

The worm does not send itself to addresses which contain the following strings:

@avp.
@foo
@iana
@messagelab
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
feste
free-av
f-secur
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip

The worm uses its own SMTP engine to send infected messages.

Infected messages

Message subject (chosen from the list below):

Alice
Alyce
Andrew
Androw
Androwe
Annes
Anthonie
Anthony
Anthonye
Avice
Bennet
Bennett
Christean
Christian
Constance
Cybil
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edward
Edwarde
Elizabeth
Elizabethe
Ellen
Ellyn
Emanual
Emanuel
Emanuell
Ester
Frances
Francis
Fraunces
Gabriell
Geoffraie
George
Grace
Harry
Harrye
Henrie
Henry
Henrye
Hughe
Humphrey
Humphrie
Isabel
Isabell
James
Jeames
Jeffrey
Jeffrye
Joane
Johen
Josias
Judeth
Judith
Judithe
Katherine
Katheryne
Leonard
Leonarde
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Marie
Martha
Marye
Michael
Mychaell
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholaus
Nycholas
Peter
Ralph
Rebecka
Richard
Richarde
Robert
Roberte
Roger
Rycharde
Samuell
Sidney
Sindony
Stephen
Susan
Susanna
Suzanna
Sybell
Sybyll
Syndony
Thomas
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede

Message body (chosen from the list below):

I love you
The password is <5 random numbers>
To the beloved
Password -- <5 random numbers>
I love you
Use password <5 random numbers>
To the beloved
Password is <5 random numbers>
I love you
Zip password: <5 random numbers>
To the beloved
archive password: <5 random numbers>

Attachment name (chosen from the list below)

Ales.zip
Alice.zip
Alyce.zip
Andrew.zip
Androw.zip
Androwe.zip
Ann.zip
Anna.zip
Anne.zip
Annes.zip
Anthonie.zip
Anthony.zip
Anthonye.zip
Avice.zip
Avis.zip
Avis.zip
Bennet.zip
Bennett.zip
Christean.zip
Christian.zip
Constance.zip
Cybil.zip
Daniel.zip
Danyell.zip
Dorithie.zip
Dorothee.zip
Dorothy.zip
Edmond.zip
Edmonde.zip
Edmund.zip
Edward.zip
Edwarde.zip
Elizabeth.zip
Elizabethe.zip
Ellen.zip
Ellyn.zip
Emanual.zip
Emanuel.zip
Emanuell.zip
Ester.zip
Frances.zip
Francis.zip
Fraunces.zip
Gabriell.zip
Geoffraie.zip
George.zip
Grace.zip
Harry.zip
Harrye.zip
Henrie.zip
Henry.zip
Henrye.zip
Hughe.zip
Humphrey.zip
Humphrie.zip
Isabel.zip
Isabell.zip
James.zip
Jane.zip
Jeames.zip
Jeffrey.zip
Jeffrye.zip
Joane.zip
Johen.zip
John.zip
Josias.zip
Judeth.zip
Judith.zip
Judithe.zip
Katherine.zip
Katheryne.zip
Leonard.zip
Leonarde.zip
Margaret.zip
Margarett.zip
Margerie.zip
Margerye.zip
Margret.zip
Margrett.zip
Marie.zip
Martha.zip
Mary.zip
Marye.zip
Michael.zip
Mychaell.zip
Nathaniel.zip
Nathaniell.zip
Nathanyell.zip
Nicholas.zip
Nicholaus.zip
Nycholas.zip
Peter.zip
Ralph.zip
Rebecka.zip
Richard.zip
Richarde.zip
Robert.zip
Roberte.zip
Roger.zip
Rose.zip
Rycharde.zip
Samuell.zip
Sara.zip
Sidney.zip
Sindony.zip
Stephen.zip
Susan.zip
Susanna.zip
Suzanna.zip
Sybell.zip
Sybyll.zip
Syndony.zip
Thomas.zip
Valentyne.zip
William.zip
Winifred.zip
Wynefrede.zip
Wynefreed.zip
Wynnefreede.zip

Payload

Removal Email-Worm.Win32.Bagle.gm instructions:

Need help? Live computer support via remote at SupportSpace.Help with printer problems, windows, hardware, software, spyware removal and more. - Go Now!

Network Worms

Trojan Programs

Classic Viruses

Other Malware