Content

W32/Bagle.h@MM

Type
Virus
SubType
E-mail worm
Discovery Date
03/01/2004
Length
Varies
Minimum DAT
4331 (03/02/2004)
Updated DAT
4331 (03/02/2004)
Minimum Engine
5.1.00
Description Added
03/01/2004
Description Modified
03/08/2004 1:25 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update March 8th --
The risk assessment of this threat has been lowered to Low-Profiled due to decreased prevalence.

-- Update March 2nd 07:25 PST --
The risk assessment of this threat has been raised to medium due to increased prevalence.

If you think that you may be infected with Bagle.h, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

This variant of W32/Bagle is functionally similar to the .F variant.  It bears the following characteristics:

  • The virus copies itself into the Windows System directory as I11R54N4.EXE. For example:

    • C:\WINNT\SYSTEM32\i11r54n4.exe (21,318 bytes)

  • The following Registry key is added to hook system startup:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run
      "rate.exe" = C:\WINNT\SYSTEM32\i11r54n4.exe

  • The following Registry key is also added:

    • HKEY_CURRENT_USER\Software\Winexe "open"

  • It also creates other files in the Windows Systemdirectory to perform its functions:

    • go154o.exe (19,968 bytes) - DLL to perform mailing
    • i1i5n1j4.exe (1,536 bytes) - DLL loader
    • i11r54n4.exeopen (20,774 bytes) - ZIP file, that is sent via email
  • Like its predecessors, this worm checks the system date. If it is the 25th March 2005 or later, the worm simply exits and does not propagate.
  • The worm uses the following icon, to make it appear that the file is a folder:
  • The worm opens port 2745 (TCP) on the victim machine
  • It copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc).  It does not spread by mapped drives.

Mail Propagation

Messages are constructed as follows:

From : (address is spoofed)
 Subject :

  • Weah, hello! :-)
  • Hokki =)
  • Weeeeee! ;)))
  • Hi! :-)
  • ello! =))
  • Hey, ya! =))
  • ^_^ meay-meay!
  • ^_^ mew-mew (-:

    Body:

  • Hey, dude, it's me ^_^ :P
  • Argh, i don't like the plaintext :)
  • I don't bite, weah!

  • Looking forward for a response :P

    Attachment: password-protected ZIP archive. File within ZIP has random name. The password is included in the message body:

    • archive password: %password%
    • password: %password%
    • pass: %password%
    • password - - %password %
    • %password % - - archive password
    • ... btw, %password% is a password for archive
    • password for archive %password%

    • Symptoms

  • Port 2745 (TCP) open on the victim machine
  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described

    • Method of Infection

    Mail Propagation

    This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

    • .adb
    • .asp
    • .cfg
    • .dbx
    • .eml
    • .htm
    • .mdx
    • .mmf
    • .nch
    • .ods
    • .php
    • .pl
    • .sht
    • .tbb
    • .txt
    • .wab
    • .xml

    The virus spoofs the sender address by using a harvested address in the From: field.

    The virus avoids sending itself to addresses containing the following:

    • @avp.
    • @hotmail.com
    • @microsoft
    • @msn.com
    • local
    • noreply
    • postmaster@
    • root@

    Remote Access Component

    The virus listens on TCP port 2745 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script is inaccessible. The websites are contacted every 27.8 hours.

    http://postertog.de/scr.php
    http://www.gfotxt.net/scr.php
    http://www.maiklibis.de/scr.php

    The format of the HTTP packets sent to the above websites is :-

    GET /scr.php?p=2745 HTTP/1.1

    Peer To Peer Propagation

    Files are created in folders that contain the phrase shar :

    • ACDSee 9.exe
    • Adobe Photoshop 9 full.exe
    • Ahead Nero 7.exe
    • Matrix 3 Revolution English Subtitles.exe
    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Opera 8 New!.exe
    • Porno pics arhive, xxx.exe
    • Porno Screensaver.scr
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Serials.txt.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • WinAmp 6 New!.exe
    • Windown Longhorn Beta Leak.exe
    • Windows Sourcecode update.doc.exe
    • XXX hardcore images.exe

    Removal

    Proactive Detection

    McAfee gateway products (and the email-scanner plugin within the desktop product) running the 4382 DATs or greater will detect the original email messages generated by this virus as W32/Bagle!eml.gen

    All Users :
    Use specified engine and DAT files for detection and removal.

    All Users :
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Manual Removal Instructions
    To remove this virus "by hand", follow these steps:

    1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    2. Delete the files following from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
       i11r54n4.exe
      go154o.exe
      i1i5n1j4.exe
      i11r54n4.exeopen
    3. Edit the registry
      • Delete the "rate.exe" value from
        • HKEY_CURRENT_USER\Software\Microsoft\
          Windows\CurrentVersion\Run
      • Delete the following key for W32/Bagle.h@MM:
        • HKEY_CURRENT_USER\Software\Winexe
    4. Reboot the system into Default Mode

    Sniffer Customers: Filters have been developed that will look for traffic for the .G, .H and .J variants of W32/Bagle [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

    McAfee Threatscan:

    Detection of the W32/Bagle.h@MM variant is provided in the W32/Bagle.e@MM signature release.

    ThreatScan Signature version: 2004-03-01

    ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

    • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

    -or-

    • Select the "Other" category and "Scan All Vulnerabilities" template.

    For additional information:
    Run the "ThreatScan Template Report"
    Look for module number #4068

    ThreatScan users can detect the remote access component by running a Resource Discovery Task using the following settings:

    -Select TCP Port scan
    -Enter port: 2745

    McAfee Desktop Firewall
         To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 2745.

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Aliases

    • W32.Beagle.h@MM (NAV)
    • W32/Bagle-h (Sophos)
    • W32/Bagle.h!pwdzip

    Characteristics

    Characteristics -

    -- Update March 8th --
    The risk assessment of this threat has been lowered to Low-Profiled due to decreased prevalence.

    -- Update March 2nd 07:25 PST --
    The risk assessment of this threat has been raised to medium due to increased prevalence.

    If you think that you may be infected with Bagle.h, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
    Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

    This variant of W32/Bagle is functionally similar to the .F variant.  It bears the following characteristics:

    • The virus copies itself into the Windows System directory as I11R54N4.EXE. For example:

      • C:\WINNT\SYSTEM32\i11r54n4.exe (21,318 bytes)

    • The following Registry key is added to hook system startup:

      • HKEY_CURRENT_USER\Software\Microsoft\Windows\
        CurrentVersion\Run
        "rate.exe" = C:\WINNT\SYSTEM32\i11r54n4.exe

    • The following Registry key is also added:

      • HKEY_CURRENT_USER\Software\Winexe "open"

    • It also creates other files in the Windows Systemdirectory to perform its functions:

      • go154o.exe (19,968 bytes) - DLL to perform mailing
      • i1i5n1j4.exe (1,536 bytes) - DLL loader
      • i11r54n4.exeopen (20,774 bytes) - ZIP file, that is sent via email
    • Like its predecessors, this worm checks the system date. If it is the 25th March 2005 or later, the worm simply exits and does not propagate.
    • The worm uses the following icon, to make it appear that the file is a folder:
    • The worm opens port 2745 (TCP) on the victim machine
    • It copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc).  It does not spread by mapped drives.

    Mail Propagation

    Messages are constructed as follows:

    From : (address is spoofed)
     Subject :

  • Weah, hello! :-)
  • Hokki =)
  • Weeeeee! ;)))
  • Hi! :-)
  • ello! =))
  • Hey, ya! =))
  • ^_^ meay-meay!
  • ^_^ mew-mew (-:

    Body:

  • Hey, dude, it's me ^_^ :P
  • Argh, i don't like the plaintext :)
  • I don't bite, weah!

  • Looking forward for a response :P

    Attachment: password-protected ZIP archive. File within ZIP has random name. The password is included in the message body:

    • archive password: %password%
    • password: %password%
    • pass: %password%
    • password - - %password %
    • %password % - - archive password
    • ... btw, %password% is a password for archive
    • password for archive %password%

    • Symptoms

    Symptoms -

  • Port 2745 (TCP) open on the victim machine
  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described

    • Method of Infection

    Method of Infection -

    Mail Propagation

    This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

    • .adb
    • .asp
    • .cfg
    • .dbx
    • .eml
    • .htm
    • .mdx
    • .mmf
    • .nch
    • .ods
    • .php
    • .pl
    • .sht
    • .tbb
    • .txt
    • .wab
    • .xml

    The virus spoofs the sender address by using a harvested address in the From: field.

    The virus avoids sending itself to addresses containing the following:

    • @avp.
    • @hotmail.com
    • @microsoft
    • @msn.com
    • local
    • noreply
    • postmaster@
    • root@

    Remote Access Component

    The virus listens on TCP port 2745 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script is inaccessible. The websites are contacted every 27.8 hours.

    http://postertog.de/scr.php
    http://www.gfotxt.net/scr.php
    http://www.maiklibis.de/scr.php

    The format of the HTTP packets sent to the above websites is :-

    GET /scr.php?p=2745 HTTP/1.1

    Peer To Peer Propagation

    Files are created in folders that contain the phrase shar :

    • ACDSee 9.exe
    • Adobe Photoshop 9 full.exe
    • Ahead Nero 7.exe
    • Matrix 3 Revolution English Subtitles.exe
    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Opera 8 New!.exe
    • Porno pics arhive, xxx.exe
    • Porno Screensaver.scr
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Serials.txt.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • WinAmp 6 New!.exe
    • Windown Longhorn Beta Leak.exe
    • Windows Sourcecode update.doc.exe
    • XXX hardcore images.exe

    Removal -

    Removal -

    Proactive Detection

    McAfee gateway products (and the email-scanner plugin within the desktop product) running the 4382 DATs or greater will detect the original email messages generated by this virus as W32/Bagle!eml.gen

    All Users :
    Use specified engine and DAT files for detection and removal.

    All Users :
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Manual Removal Instructions
    To remove this virus "by hand", follow these steps:

    1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    2. Delete the files following from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
       i11r54n4.exe
      go154o.exe
      i1i5n1j4.exe
      i11r54n4.exeopen
    3. Edit the registry
      • Delete the "rate.exe" value from
        • HKEY_CURRENT_USER\Software\Microsoft\
          Windows\CurrentVersion\Run
      • Delete the following key for W32/Bagle.h@MM:
        • HKEY_CURRENT_USER\Software\Winexe
    4. Reboot the system into Default Mode

    Sniffer Customers: Filters have been developed that will look for traffic for the .G, .H and .J variants of W32/Bagle [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

    McAfee Threatscan:

    Detection of the W32/Bagle.h@MM variant is provided in the W32/Bagle.e@MM signature release.

    ThreatScan Signature version: 2004-03-01

    ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

    • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

    -or-

    • Select the "Other" category and "Scan All Vulnerabilities" template.

    For additional information:
    Run the "ThreatScan Template Report"
    Look for module number #4068

    ThreatScan users can detect the remote access component by running a Resource Discovery Task using the following settings:

    -Select TCP Port scan
    -Enter port: 2745

    McAfee Desktop Firewall
         To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 2745.

    Variants

    Variants -

      N/A