Content

W32/Bagle.c@MM

Type
Virus
SubType
E-mail worm
Discovery Date
02/27/2004
Length
Varies
Minimum DAT
4329 (02/27/2004)
Updated DAT
5090 (08/03/2007)
Minimum Engine
5.1.00
Description Added
02/27/2004
Description Modified
06/15/2006 1:03 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

This is a mass-mailing worm with the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • harvests email addresses from the victim machine
  • the From: address of messages is spoofed
  • contains a remote access component (notification is sent to hacker)

If you think that you may be infected with Bagle.c, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

Note: top-level detection of the ZIP file is included within the DATs. This is to improve performance when scanning. Identifications of the top level detection will be reported as W32/Bagle.c!zip.

Messages are constructed as follows:

From : (address is spoofed)
Body : (Message body is empty)
Subject :

  • Accounts department
  • Ahtung!
  • Camila
  • Daily activity report
  • Flayers among us
  • Freedom for everyone
  • From Hair-cutter
  • From me
  • Greet the day
  • Hardware devices price-list
  • Hello my friend
  • Hi!
  • Jenny
  • Jessica
  • Looking for the report
  • Maria
  • Melissa
  • Monthly incomings summary
  • New Price-list
  • Price
  • Price list
  • Pricelist
  • Price-list
  • Proclivity to servitude
  • Registration confirmation
  • The account
  • The employee
  • The summary
  • USA government abolishes the capital punishment
  • Weekly activity report
  • Well...
  • You are dismissed
  • You really love me? he he

Attachment : randomly named binary within a .ZIP file (~16KB).

The EXE file within the ZIP archive uses the following icon, to make it appear that the file is an Excel file.

Like its predecessors, this worm checks the system date. If it is the 14th March 2004 or later, the worm simply exits and does not propagate.

Upon running the file, Notepad.exe is opened, with a blank window. 

The virus copies itself into the Windows system directory as README.EXE, for example:

C:\WINNT\SYSTEM32\README.EXE

It also creates other files in this directory to perform its functions:

  • onde.exe (18,944 bytes) - DLL to perform mailing
  • doc.exe (1,536 bytes) - DLL loader
  • readme.exeopen (~16KB) - ZIP to be sent via email

The following Registry key is added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "gouday.exe" = C:\WINNT\SYSTEM32\README.EXE

Additionally, the following Registry keys are added:

  • HKEY_CURRENT_USER\Software\DateTime2 "frun"
  • HKEY_CURRENT_USER\Software\DateTime2 "uid"
  • HKEY_CURRENT_USER\Software\DateTime2 "port"

A mutex called "imain_mutex" is created to ensure only one instance of the worm is running at a time.

This worm attempts to terminate the process of security programs with the the following filenames:

  • ATUPDATER.EXE
  • ATUPDATER.EXE
  • AUPDATE.EXE
  • AUTODOWN.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • AVLTMAIN.EXE
  • AVPUPD.EXE
  • AVWUPD32.EXE
  • AVXQUAR.EXE
  • CFIAUDIT.EXE
  • DRWEBUPW.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • LUALL.EXE
  • MCUPDATE.EXE
  • NUPGRADE.EXE
  • NUPGRADE.EXE
  • OUTPOST.EXE
  • UPDATE.EXE

Symptoms

  • Port 2745 (TCP) open on the victim machine
  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described

Method of Infection

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

  • .ADB
  • .ASP
  • .CFG
  • .DBX
  • .EML
  • .HTM
  • .HTML
  • .MDX
  • .MMF
  • .NCH
  • .ODS
  • .PHP
  • .PL
  • .SHT
  • .TXT
  • .WAB

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

  • @avp.
  • @hotmail.com
  • @microsoft
  • @msn.com
  • local
  • noreply
  • postmaster@ 
  • root@

Remote Access Component

The virus listens on TCP port 2745 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script does not exist on any of these sites.

http://permail.uni-muenster.de/scr.php
http://www.songtext.net/de/scr.php
http://www.sportscheck.de/scr.php

After March 14th, this component of the worm is also deactivated.

Removal

All Users :
Use specified engine and DAT files for detection and removal.

Stinger
 Stinger has been updated to assist in detecting and repairing this threat.

Additional Windows ME/XP removal considerations

If you see detection of this threat on your system, a reboot and additional scan may be required to clean this completely.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. Delete the file following from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
    README.EXE   
    DOC.EXE
    ONDE.EXE
    README.EXEOPEN
  3. Edit the registry
    • Delete the "gouday.exe" value from
      • HKEY_CURRENT_USER\Software\Microsoft\
        Windows\CurrentVersion\Run
    • Delete the key
      • HKEY_CURRENT_USER\Software\DateTime2
  4. Reboot the system into Default Mode

McAfee Threatscan

ThreatScan signatures that can detect the W32/Bagle.c@MM virus are available from:

· Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt <ftp://ftp.nai.com/pub/security/tsc25/updates/winnt >

· Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt <ftp://ftp.nai.com/pub/security/tsc20/updates/winnt >

ThreatScan Signature version:  2004-03-01

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

· Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
-or-
· Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:
Run the "ThreatScan Template Report"
Look for module number #4067

McAfee Desktop Firewall
 To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 2745.

McAfee IntruShield
A user defined signature has been released for the Intrushield system to specifically detect and block this worm. Inline customers can stop the worm by enabling blocking for the following signature in their policy:

UDS-SMTP: Worm Bagle.C Detected

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Bagle.C (F-Secure)
  • W32.Beagle.C@mm (Symantec)
  • W32/Bagle-C (Sophos)
  • W32/Bagle.c!zip
  • Win32.Bagle.C (CA)
  • WORM_BAGLE.C (Trend)

Characteristics

Characteristics -

This is a mass-mailing worm with the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • harvests email addresses from the victim machine
  • the From: address of messages is spoofed
  • contains a remote access component (notification is sent to hacker)

If you think that you may be infected with Bagle.c, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

Note: top-level detection of the ZIP file is included within the DATs. This is to improve performance when scanning. Identifications of the top level detection will be reported as W32/Bagle.c!zip.

Messages are constructed as follows:

From : (address is spoofed)
Body : (Message body is empty)
Subject :

  • Accounts department
  • Ahtung!
  • Camila
  • Daily activity report
  • Flayers among us
  • Freedom for everyone
  • From Hair-cutter
  • From me
  • Greet the day
  • Hardware devices price-list
  • Hello my friend
  • Hi!
  • Jenny
  • Jessica
  • Looking for the report
  • Maria
  • Melissa
  • Monthly incomings summary
  • New Price-list
  • Price
  • Price list
  • Pricelist
  • Price-list
  • Proclivity to servitude
  • Registration confirmation
  • The account
  • The employee
  • The summary
  • USA government abolishes the capital punishment
  • Weekly activity report
  • Well...
  • You are dismissed
  • You really love me? he he

Attachment : randomly named binary within a .ZIP file (~16KB).

The EXE file within the ZIP archive uses the following icon, to make it appear that the file is an Excel file.

Like its predecessors, this worm checks the system date. If it is the 14th March 2004 or later, the worm simply exits and does not propagate.

Upon running the file, Notepad.exe is opened, with a blank window. 

The virus copies itself into the Windows system directory as README.EXE, for example:

C:\WINNT\SYSTEM32\README.EXE

It also creates other files in this directory to perform its functions:

  • onde.exe (18,944 bytes) - DLL to perform mailing
  • doc.exe (1,536 bytes) - DLL loader
  • readme.exeopen (~16KB) - ZIP to be sent via email

The following Registry key is added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "gouday.exe" = C:\WINNT\SYSTEM32\README.EXE

Additionally, the following Registry keys are added:

  • HKEY_CURRENT_USER\Software\DateTime2 "frun"
  • HKEY_CURRENT_USER\Software\DateTime2 "uid"
  • HKEY_CURRENT_USER\Software\DateTime2 "port"

A mutex called "imain_mutex" is created to ensure only one instance of the worm is running at a time.

This worm attempts to terminate the process of security programs with the the following filenames:

  • ATUPDATER.EXE
  • ATUPDATER.EXE
  • AUPDATE.EXE
  • AUTODOWN.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • AVLTMAIN.EXE
  • AVPUPD.EXE
  • AVWUPD32.EXE
  • AVXQUAR.EXE
  • CFIAUDIT.EXE
  • DRWEBUPW.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • LUALL.EXE
  • MCUPDATE.EXE
  • NUPGRADE.EXE
  • NUPGRADE.EXE
  • OUTPOST.EXE
  • UPDATE.EXE

Symptoms

Symptoms -

  • Port 2745 (TCP) open on the victim machine
  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described

Method of Infection

Method of Infection -

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

  • .ADB
  • .ASP
  • .CFG
  • .DBX
  • .EML
  • .HTM
  • .HTML
  • .MDX
  • .MMF
  • .NCH
  • .ODS
  • .PHP
  • .PL
  • .SHT
  • .TXT
  • .WAB

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

  • @avp.
  • @hotmail.com
  • @microsoft
  • @msn.com
  • local
  • noreply
  • postmaster@ 
  • root@

Remote Access Component

The virus listens on TCP port 2745 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script does not exist on any of these sites.

http://permail.uni-muenster.de/scr.php
http://www.songtext.net/de/scr.php
http://www.sportscheck.de/scr.php

After March 14th, this component of the worm is also deactivated.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal.

Stinger
 Stinger has been updated to assist in detecting and repairing this threat.

Additional Windows ME/XP removal considerations

If you see detection of this threat on your system, a reboot and additional scan may be required to clean this completely.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. Delete the file following from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
    README.EXE   
    DOC.EXE
    ONDE.EXE
    README.EXEOPEN
  3. Edit the registry
    • Delete the "gouday.exe" value from
      • HKEY_CURRENT_USER\Software\Microsoft\
        Windows\CurrentVersion\Run
    • Delete the key
      • HKEY_CURRENT_USER\Software\DateTime2
  4. Reboot the system into Default Mode

McAfee Threatscan

ThreatScan signatures that can detect the W32/Bagle.c@MM virus are available from:

· Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt <ftp://ftp.nai.com/pub/security/tsc25/updates/winnt >

· Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt <ftp://ftp.nai.com/pub/security/tsc20/updates/winnt >

ThreatScan Signature version:  2004-03-01

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

· Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
-or-
· Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:
Run the "ThreatScan Template Report"
Look for module number #4067

McAfee Desktop Firewall
 To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 2745.

McAfee IntruShield
A user defined signature has been released for the Intrushield system to specifically detect and block this worm. Inline customers can stop the worm by enabling blocking for the following signature in their policy:

UDS-SMTP: Worm Bagle.C Detected

Variants

Variants -

    N/A