Win32/Bagle.X
Created: 2007-06-25,
20:35:40
Last updated on: 2010-11-26,
09:23:14
Compressor:
UPX
Language:
Visual C++
Endangered operating system(s):
Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000
all...
, Windows Server 2003
, Windows XP
back...
Non-endangered operating system(s):
Windows 3.xx, DOS, Linux, Unix, Solaris
all...
, MacOS
, Mac OS X
, OS2
back...
Naming
Avast
|
Win32:Beagle-Y
|
AVG
|
I-Worm/Bagle.AA
|
BitDefender
|
Win32.Bagle.W@mm.damaged
|
e-Trust
|
Win32/Bagle.W
|
F-PROT
|
W32/Bagle.Y@mm
|
F-Secure
|
Email-Worm.Win32.Bagle.y
|
Ikarus
|
MalwareScope.Trojan-PWS.Pinch.1
|
Kaspersky
|
Email-Worm.Win32.Bagle.y
|
McAfee
|
W32/Bagle.z@MM(Virus)
|
Microsoft
|
Win32/Bagle.W@mm
|
NOD32 (ESET)
|
Win32/Bagle.X
|
Panda
|
W32/Bagle.AA.worm
|
Rising Antivirus
|
Worm.Mail.Bagle.md
|
Sophos
|
W32/Bagle-W
|
Trend Micro
|
WORM_BAGLE.X
|
VirusBuster
|
I-Worm.Bagle.Y
|
Installation
The worm
displays the following window during the installation of its code:
The worm
creates the following files:
In the Windows System32 folder (default: C:\Windows\System32):
- drvsys.exe
- drvsys.exeopen
- drvsys.exeopenopen
- drvsys.exe
- drvsys.exeopen
- drvsys.exeopenopen
In share folders:
- ACDSee 9.exe
- Adobe Photoshop 9 full.exe
- Ahead Nero 7.exe
- KAV 5.0
- Kaspersky Antivirus 5.0
-
more...
- ACDSee 9.exe
- Adobe Photoshop 9 full.exe
- Ahead Nero 7.exe
- KAV 5.0
- Kaspersky Antivirus 5.0
- Matrix 3 Revolution English Subtitles.exe
- Microsoft Office 2003 Crack, Working!.exe
- Microsoft Office XP working Crack, Keygen.exe
- Microsoft Windows XP, WinXP Crack, working Keygen.exe
- Opera 8 New!.exe
- Porno Screensaver.scr
- Porno pics arhive, xxx.exe
- Porno, sex, oral, anal cool, awesome!!.exe
- Serials.txt.exe
- WinAmp 5 Pro Keygen Crack Update.exe
- WinAmp 6 New!.exe
- Windown Longhorn Beta Leak.exe
- Windows Sourcecode update.doc.exe
- XXX hardcore images.exe
-
less...
Win32/Bagle.X worm
creates the following entries in the registry or modifies it (if it exists already):
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "drvsys.exe"="C:\WINDOWS\System32\drvsys.exe"
- [HKEY_USERS\S-1-5-21-1060284298-1770027372-839522115-1003\Software
\Microsoft\Windows\CurrentVersion\Run] "drvsys.exe"="C:\WINDOWS\System32\drvsys.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "drvsys.exe"="C:\WINDOWS\System32\drvsys.exe"
- [HKEY_USERS\S-1-5-21-1060284298-1770027372-839522115-1003\Software
\Microsoft\Windows\CurrentVersion\Run] "drvsys.exe"="C:\WINDOWS\System32\drvsys.exe"
Win32/Bagle.X worm
deletes the following entries from the registry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "9XHtProtect"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Antivirus"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "EasyAV"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "FirewallSvr"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "HtProtect"
-
more...
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "9XHtProtect"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Antivirus"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "EasyAV"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "FirewallSvr"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "HtProtect"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ICQ Net"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ICQNet"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Jammer2nd"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "KasperskyAVEng"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "MsInfo"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "My AV"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "NetDy"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Norton Antivirus AV"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "PandaAVEngine"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "service"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Special Firewall Service"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "SysMonXP"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Tiny AV"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Zone Labs Client Ex"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"9XHtProtect"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Antivirus"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"EasyAV"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"FirewallSvr"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"HtProtect"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ICQ Net"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ICQNet"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Jammer2nd"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"KasperskyAVEng"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"MsInfo"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"My AV"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NetDy"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Norton Antivirus AV"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"PandaAVEngine"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"service"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Special Firewall Service"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SysMonXP"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Tiny AV"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client Ex"
-
less...
Win32/Bagle.X worm
stops the following processes:
- NMAIN.EXE
- NORTON_INTERNET_SECU_3.0_407.EXE
- NPF40_TW_98_NT_ME_2K.EXE
- NPFMESSENGER.EXE
- NPROTECT.EXE
-
more...
E-mail messages
Win32/Bagle.X worm
in order to spread creates ANSI format e-mail messages and forwards its own code.
Win32/Bagle.X worm
searches for e-mail addresses in the files with one of the following extensions:
- wab
- txt
- msg
- htm
- shtm
- stm
- xml
- dbx
- mbx
- mdx
- eml
- nch
- mmf
- ods
- cfg
- asp
- php
- pl
- wsh
- adb
- tbb
- sht
- xls
- oft
- uin
- cgi
- mht
- dhtm
- jsp
-
less...
The characteristics of the e-mail messages are the following:
The icon of the messages including worm
(warning: in some e-mail clients the icon is not correctly visible):
Attacks on the Internet
The worm
downloads and executes a code from the following addresses:
- http://www.spiegel.de
- http://www.leipziger-messe.de
- http://www.mobile.de
- http://www.neformal.de
- http://www.avh.de
-
more...
- http://www.spiegel.de
- http://www.leipziger-messe.de
- http://www.mobile.de
- http://www.neformal.de
- http://www.avh.de
- http://www.goethe.de
- http://www.degruyter.de
- http://www.heise.de
- http://www.autoscout24.de
- http://www.russische-botschaft.de
- http://www.bmbf.de
- http://www.berlinale.de
- http://www.hamann-motorsport.de
- http://Spaceclub.de
- http://www.fracht-24.de
- http://www.loveparade.de
- http://www.dalnoboyshik.de
- http://www.deutschland.de
- http://www.ac-schnitzer.de
- http://abakan.strana.de
- http://www.emis.de
- http://www.dwd.de
- http://www.ifdesign.de
- http://www.beckers-systems.de
- http://www.pri-wo-hamburg.de
- http://virtualzone.de
- http://www.mitsumi.de
- http://www.fu-berlin.de
- http://www.nabu.de
- http://www.tekeli.de
- http://www.welt.de
- http://www.gospel-nations.de
- http://www.neznakomez.de
- http://www.tecchannel.de
- http://www.php-resource.de
- http://www.windac.de
- http://www.gsi.de
- http://www.turism.de
- http://jakimov.golos.de
- http://www.www.mirko-becker.gmxhome.de
- http://vg.xtonne.de
- http://www.go-amman.de
- http://3treepoint.com
- http://www.restarted-alliance.de
- http://2udar.ligakvn.de
- http://www.sprach-zertifikat.de
- http://www.dfg.de
- http://www.kliniken.de
- http://www.winfuture.de
- http://www.hamburg.de
- http://www.auma.de
- http://www.teac.de
- http://www.eumetsat.de
- http://www.documenta.de
- http://hardvision.ru
- http://www.bruecke-osteuropa.de
- http://www.mk-motorsport.de
- http://www.bundesregierung.de
- http://ditec.um.es
- http://www.insel-ruegen-hotel.de
- http://www.tib.uni-hannover.de
- http://www.chugai.de
- http://www.blauer-engel.de
- http://www.partner-inform.de
- http://250x.com
- http://villakinderbunt.de
- http://s318.evanzo-server.de
- http://andimeisslein.de
- http://tobimayer.de
- http://markusgimenez.de
- http://www.fiz-karlsruhe.de
- http://www.gdch.de
- http://www.intermatgmbh.de
- http://www.hotel-pension-spree.de
- http://vg.xtonne.de
- http://www.low-spirit.de
- http://www.red-dot.de
- http://www.fernuni-hagen.de
- http://www.ruletka.de
- http://www.deutsch-als-fremdsprache.de
- http://www.uni-oldenburg.de
- http://fotos.schneider.bards.de
- http://www.deutsches-museum.de
- http://www.de-bug.de
- http://www.uni-stuttgart.de
- http://www.embl-heidelberg.de
- http://www.mdz-moskau.de
- http://www.mitsubishi-evs.de
- http://www.siegenia-aubi.com
- http://www.cicv.fr
- http://www.paromi.de
- http://www.jura.uni-sb.de
- http://www.exactaudiocopy.de
-
less...
Backdoor
Win32/Bagle.X worm
opens a backdoor on TCP port number
2535
.