Email-Worm.Win32.Bagle.z
| Alert Level : | Medium |
| Discovered: | Apr 30 2004 |
| Tag: | E-mail Worms |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
Bagle.z is an Internet worm spreading as an infected email attachment. The worm is a PE EXE file about 20-22 KB. Bagle.z is packed with UPX and the unpacked file size is 55 KB.
The body of the worm contains a new poem:
In a difficult world
In a nameless time
I want to survive
So, you will be mine
-- Bagle Author, 29.04.04, Germany.
Infected message characteristics
Sender address:
random
Subject:
Re: Msg reply Re: Hello Re: Yahoo! Re: Thank you! Re: Thanks :) RE: Text message Re: Document Incoming message Re: Incoming Message RE: Incoming Msg RE: Message Notify Notification Changes.. New changes Hidden message Fax Message Received Protected message RE: Protected message Forum notify Site changes Re: Hi Encrypted document
Attachment name:
Information Details text_document Readme Document Info the_message Details MoreInfo Message You_will_answer_to_me Half_Live Counter_strike Loves_money the_message Alive_condom Joke Toy Nervous_illnesses Manufacture You_are_dismissed Your_complaint Your_money Smoke I_search_for_you
Attachment characteristics:
- .exe .com .scr and .cpl binary code file
- .vbs script
- .hta html-file
- ZIP zrchive represented by a thumbnail. This archive contains two files with random names. The .exe file contains the body of the worm, while the second one contains random characters and has different extensions: .sys, .dat, .idx, .vxd, .vid or .dll.
Message body
There is a wide range of possible message texts.
The message may contain a VBS script; if this is launched by the user, it exploits a Microsoft Internet Explorer vulnerability (defined in Microsoft Security Bulletin MS03-040) which makes it possible to download the executable worm file via the Internet from several dozen infected web sites.
Installation
Upon first being launched the worm displays a fake error message:
and then copies itself to the Windows system directory under the name "drvsys.exe",
and registers this file in the system registry, to ensure that a copy of the
worm is run each time the system is rebooted:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "drvddll.exe" = "%system%\drvddll.exe"Bagle.z also creates the following files in the Windows system directory:
drvddll.exeopen drvddll.exeopenopenIt searches for and deletes the following keys:
My AV Zone Labs Client Ex 9XHtProtect Antivirus Special Firewall Service service Tiny AV ICQNet HtProtect NetDy Jammer2nd FirewallSvr MsInfo SysMonXP EasyAV PandaAVEngine Norton Antivirus AV KasperskyAVEng SkynetsRevenge ICQ Net
The worm also attempts to connect to a range of remote sites, and to save information about the victim computer on these sites.
Propagation
The worm searches the computer for files with the following extensions:
adb asp cfg cgi dbx dhtm eml htm jsp mdx
mbx mht mmf msg nch ods oft php pl sht
shtm stm tbb txt uin wab wsh xls xml
0
Removal Email-Worm.Win32.Bagle.z instructions:
0
Need help? Live computer support via remote at SupportSpace |
