Home>Network Worms> Email Worms>

Email-Worm.Win32.Bagle.al

tag:E-mail Worms

0 0

Bagle.al is a worm that spreads as an email attachment and via file sharing networks.

The worm is written in Assembler.

Bagle.al is made up of 2 main components:

A ZIP file spreading as an email attachment;
the body of the worm, which is downloaded from specified websites.

Payload

The ZIP file containing the downloader is 5932 bytes in size and contains two files:

price.html
price\price.exe

The file price.html contains a malicious script named exploit.CodeBaseExec, which automatically launches price.exe.

Price.exe is a Trojan dropper designed to install the downloader that will in turn download the body of the worm onto the victim machine. The dropper is 14848 bytes. After it is launched, the dropper copies itself into the Windows system directory under the name windirect.exe and creates the following system registry auto run key:

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "win_upd2.exe"="%system%\windirect.exe"

It then extracts and saves the downloader in the Windows system directory under the name _dll.exe and launches the downloader (the dll file is 11776 bytes). _dllexe file ends the following processes:

ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
sys_xp.exe
sysxp.exe
UPDATE.EXE
winxp.exe

Finally, the downloader attempts to download the body of the worm from one of the web sites listed in the dll files. If the worm is successfully downloaded, the Trojan launches it.

The worm component

Bagle.al is based on the source codes spread by Bagle.aa and is 19460 bytes in size.

Installation

Once Bagle.al is launched by the downloader component, it copies itself into the Windows system directory with the name windll.exe and registers the following system registry auto run key:

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "erthgdr"="%system%\windll.exe"

Bagle.al creates two additional files in the Windows system folder:

windll.exeopen
windll.exeopenopen

Propagation via email

Bagle.al scans the hard drive for files with the following extensions:

adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch

ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml

previous:Email-Worm.Win32.Bagle.ah
previous:Email-Worm.Win32.Bagle.c

Virus Source from:

New articles

WORM_KELIHOS.SMhis worm may be downloaded from the following remote sites: http://{BLOCKED}.240.36/flash2.exe It may be downloaded from remote site(s) by the follow...Email-Worm.Win32.3DStars This is an Internet worm that spreads via e-mail as an attached EXE file. The worm itself is a Win32 executable file about 70Kb in length, and written in Visua...Email-Worm.Win32.Abotus This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is Windows PE EXE file about 18Kb of length, written in De...Email-Worm.Win32.Aliz This is a virus-worm that spreads via the Internet, attached to infected e-mails. The worm itself is a Windows PE EXE file about 4Kb in length and written in A...Email-Worm.Win32.Bagle.ef This Bagle variant is unable to replicate independently. However, all other functionality indicated that this worm is a member of the Bagle family. It was mass...

Hot Articles

Email-Worm.Win32.Bagle.al

Payload

The worm component

Installation

Propagation via email

Computer Virus Clounds