Content

W32/Bagle.e@MM

Type
Virus
SubType
Internet Worm
Discovery Date
02/28/2004
Length
varies
Minimum DAT
4330 (02/29/2004)
Updated DAT
4331 (03/02/2004)
Minimum Engine
5.1.00
Description Added
02/28/2004
Description Modified
03/11/2004 10:21 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update March 11, 2004 --
 The risk assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence.

This new variant has the same functionalities as the .c variant.  It uses different file names to write to the local machine.  The file size is different.

This is a mass-mailing worm with the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • harvests email addresses from the victim machine
  • the From: address of messages is spoofed
  • contains a remote access component (notification is sent to hacker)

If you think that you may be infected with Bagle.e, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

Messages are constructed as follows:

From : (address is spoofed)
 Body : (Message body is empty)
Subject :

  • Accounts department
  • Ahtung!
  • Camila
  • Daily activity report
  • Flayers among us
  • Freedom for everyone
  • From Hair-cutter
  • From me
  • Greet the day
  • Hardware devices price-list
  • Hello my friend
  • Hi!
  • Jenny
  • Jessica
  • Looking for the report
  • Maria
  • Melissa
  • Monthly incomings summary
  • New Price-list
  • Price
  • Price list
  • Pricelist
  • Price-list
  • Proclivity to servitude
  • Registration confirmation
  • The account
  • The employee
  • The summary
  • USA government abolishes the capital punishment
  • Weekly activity report
  • Well...
  • You are dismissed
  • You really love me? he he

Attachment : randomly named binary within a .ZIP file (~16KB).

The EXE file within the ZIP archive uses the following icon, to make it appear that the file is text file.

Like its predecessors, this worm checks the system date. If it is the 25th March 2004 or later, the worm simply exits and does not propagate.

Upon running the file, Notepad.exe is opened, with a blank window. 

The virus copies itself into the Windows system directory as i1ru74n4.exe, for example:

C:\WINNT\SYSTEM32\i1ru74n4.exe

It also creates other files in this directory to perform its functions:

  • godo.exe (18,944 bytes) - DLL to perform mailing
  • ii455nj4.exe (1,536 bytes) - DLL loader
  • i1ru74n4.exeopen (~16KB) - ZIP to be sent via email

The following Registry key is added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "rate.exe" = C:\WINNT\SYSTEM32\i1ru74n4.exe

Additionally, the following Registry keys are added:

  • HKEY_CURRENT_USER\Software\DateTime2 "frun"
  • HKEY_CURRENT_USER\Software\DateTime2 "uid"
  • HKEY_CURRENT_USER\Software\DateTime2 "port"

A mutex called "imain_mutex" is created to ensure only one instance of the worm is running at a time.

This worm attempts to terminate the process of security programs with the the following filenames:

  • ATUPDATER.EXE
  • ATUPDATER.EXE
  • AUPDATE.EXE
  • AUTODOWN.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • AVLTMAIN.EXE
  • AVPUPD.EXE
  • AVWUPD32.EXE
  • AVXQUAR.EXE
  • CFIAUDIT.EXE
  • DRWEBUPW.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • LUALL.EXE
  • MCUPDATE.EXE
  • NUPGRADE.EXE
  • NUPGRADE.EXE
  • OUTPOST.EXE
  • UPDATE.EXE

Symptoms

  • Port 2745 (TCP) open on the victim machine
  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described

Method of Infection

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

  • .ADB
  • .ASP
  • .CFG
  • .DBX
  • .EML
  • .HTM
  • .HTML
  • .MDX
  • .MMF
  • .NCH
  • .ODS
  • .PHP
  • .PL
  • .SHT
  • .TXT
  • .WAB

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

  • @avp.
  • @hotmail.com
  • @microsoft
  • @msn.com
  • local
  • noreply
  • postmaster@ 
  • root@

Remote Access Component

The virus listens on TCP port 2745 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script does not exist on any of these sites.

http://permail.uni-muenster.de/scr.php
http://www.songtext.net/de/scr.php
http://www.sportscheck.de/scr.php

After March 25th, this component of the worm is also deactivated.

Removal

All Users :
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Stinger
 Stinger has been updated to assist in detecting and repairing this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. Delete the file following from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
    i1ru74n4.exe    
    godo.exe
    ii455nj4.exe
    i1ru74n4.exeopen
  3. Edit the registry
    • Delete the "rate.exe" value from
      • HKEY_CURRENT_USER\Software\Microsoft\
        Windows\CurrentVersion\Run
    • Delete the key
      • HKEY_CURRENT_USER\Software\DateTime2
  4. Reboot the system into Default Mode

McAfee Threatscan
ThreatScan signatures that can detect the W32/Bagle.e@MM virus are available from:

· Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt <ftp://ftp.nai.com/pub/security/tsc25/updates/winnt >

· Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt <ftp://ftp.nai.com/pub/security/tsc20/updates/winnt >

ThreatScan Signature version:  2004-03-01

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

· Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
-or-
· Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:
Run the "ThreatScan Template Report"
Look for module number #4068

ThreatScan users can detect the remote access component by running a Resource Discovery Task using the following settings:

-Select TCP Port scan
-Enter port: 2745

McAfee Desktop Firewall
 To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 2745.

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

-- Update March 11, 2004 --
 The risk assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence.

This new variant has the same functionalities as the .c variant.  It uses different file names to write to the local machine.  The file size is different.

This is a mass-mailing worm with the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • harvests email addresses from the victim machine
  • the From: address of messages is spoofed
  • contains a remote access component (notification is sent to hacker)

If you think that you may be infected with Bagle.e, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

Messages are constructed as follows:

From : (address is spoofed)
 Body : (Message body is empty)
Subject :

  • Accounts department
  • Ahtung!
  • Camila
  • Daily activity report
  • Flayers among us
  • Freedom for everyone
  • From Hair-cutter
  • From me
  • Greet the day
  • Hardware devices price-list
  • Hello my friend
  • Hi!
  • Jenny
  • Jessica
  • Looking for the report
  • Maria
  • Melissa
  • Monthly incomings summary
  • New Price-list
  • Price
  • Price list
  • Pricelist
  • Price-list
  • Proclivity to servitude
  • Registration confirmation
  • The account
  • The employee
  • The summary
  • USA government abolishes the capital punishment
  • Weekly activity report
  • Well...
  • You are dismissed
  • You really love me? he he

Attachment : randomly named binary within a .ZIP file (~16KB).

The EXE file within the ZIP archive uses the following icon, to make it appear that the file is text file.

Like its predecessors, this worm checks the system date. If it is the 25th March 2004 or later, the worm simply exits and does not propagate.

Upon running the file, Notepad.exe is opened, with a blank window. 

The virus copies itself into the Windows system directory as i1ru74n4.exe, for example:

C:\WINNT\SYSTEM32\i1ru74n4.exe

It also creates other files in this directory to perform its functions:

  • godo.exe (18,944 bytes) - DLL to perform mailing
  • ii455nj4.exe (1,536 bytes) - DLL loader
  • i1ru74n4.exeopen (~16KB) - ZIP to be sent via email

The following Registry key is added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "rate.exe" = C:\WINNT\SYSTEM32\i1ru74n4.exe

Additionally, the following Registry keys are added:

  • HKEY_CURRENT_USER\Software\DateTime2 "frun"
  • HKEY_CURRENT_USER\Software\DateTime2 "uid"
  • HKEY_CURRENT_USER\Software\DateTime2 "port"

A mutex called "imain_mutex" is created to ensure only one instance of the worm is running at a time.

This worm attempts to terminate the process of security programs with the the following filenames:

  • ATUPDATER.EXE
  • ATUPDATER.EXE
  • AUPDATE.EXE
  • AUTODOWN.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • AVLTMAIN.EXE
  • AVPUPD.EXE
  • AVWUPD32.EXE
  • AVXQUAR.EXE
  • CFIAUDIT.EXE
  • DRWEBUPW.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • LUALL.EXE
  • MCUPDATE.EXE
  • NUPGRADE.EXE
  • NUPGRADE.EXE
  • OUTPOST.EXE
  • UPDATE.EXE

Symptoms

Symptoms -

  • Port 2745 (TCP) open on the victim machine
  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described

Method of Infection

Method of Infection -

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

  • .ADB
  • .ASP
  • .CFG
  • .DBX
  • .EML
  • .HTM
  • .HTML
  • .MDX
  • .MMF
  • .NCH
  • .ODS
  • .PHP
  • .PL
  • .SHT
  • .TXT
  • .WAB

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

  • @avp.
  • @hotmail.com
  • @microsoft
  • @msn.com
  • local
  • noreply
  • postmaster@ 
  • root@

Remote Access Component

The virus listens on TCP port 2745 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script does not exist on any of these sites.

http://permail.uni-muenster.de/scr.php
http://www.songtext.net/de/scr.php
http://www.sportscheck.de/scr.php

After March 25th, this component of the worm is also deactivated.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Stinger
 Stinger has been updated to assist in detecting and repairing this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. Delete the file following from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
    i1ru74n4.exe    
    godo.exe
    ii455nj4.exe
    i1ru74n4.exeopen
  3. Edit the registry
    • Delete the "rate.exe" value from
      • HKEY_CURRENT_USER\Software\Microsoft\
        Windows\CurrentVersion\Run
    • Delete the key
      • HKEY_CURRENT_USER\Software\DateTime2
  4. Reboot the system into Default Mode

McAfee Threatscan
ThreatScan signatures that can detect the W32/Bagle.e@MM virus are available from:

· Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt <ftp://ftp.nai.com/pub/security/tsc25/updates/winnt >

· Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt <ftp://ftp.nai.com/pub/security/tsc20/updates/winnt >

ThreatScan Signature version:  2004-03-01

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

· Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
-or-
· Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:
Run the "ThreatScan Template Report"
Look for module number #4068

ThreatScan users can detect the remote access component by running a Resource Discovery Task using the following settings:

-Select TCP Port scan
-Enter port: 2745

McAfee Desktop Firewall
 To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 2745.

Variants

Variants -

    N/A