W32/Bagle.bk@MM

Content

W32/Bagle.bk@MM

Type: Virus
SubType: E-mail worm
Discovery Date: 01/26/2005
Length: varies
Minimum DAT: 4423 (01/27/2005)
Updated DAT: 4626 (11/11/2005)
Minimum Engine: 5.1.00
Description Added: 01/26/2005
Description Modified: 01/27/2005 5:44 AM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

-- Update 27th January 2005 13:00 PST --

This variant is very similar to the W32/Bagle.bj@MM variant which has had its risk assessment raised to medium.

The 4423 DATs that will be released early for this threat will include detection and cleaning for this W32/Bagle.bk@MM variant as well.

This is a mass-mailing worm with the following characteristics:

contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
contains a remote access component (notification is sent to hacker)
copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

Mail Propagation

The details are as follows:

From : (address is spoofed)
Subject :

Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active

Body Text:

Thanks for use of our software.
Before use read the help

Attachment: (may be one of the following, with an extension of .exe, .scr, .com, or .cpl)

wsd01
viupd02
siupd02
guupd02
zupd02
upd02
Jol03

The virus copies itself into the Windows System directory as sysformat.exe. For example:

C:\WINNT\SYSTEM32\sysformat.exe

It also creates other files in this directory to perform its functions:

C:\WINNT\SYSTEM32\sysformat.exeopen
C:\WINNT\SYSTEM32\sysformat.exeopenopen

The following Registry key is added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "sysformat" = C:\WINNT\SYSTEM32\sysformat.exe

Additionally, the following Registry keys are added:

HKEY_CURRENT_USER\Software\Microsoft\Params "riga"

It deletes these values

"My AV"
"ICQ Net"

from the following Registry keys, if they are present:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run

A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

This worm attempts to terminate the process of security programs with the the following filenames:

mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.exe
ccPxySvc.exe
navapsvc.exe
NPROTECT.exe
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.exe
ATUPDATER.exe
LUALL.exe
DRWEBUPW.exe
AUTODOWN.exe
NUPGRADE.exe
OUTPOST.exe
ICSSUPPNT.exe
ICSUPP95.exe
ESCANH95.exe
AVXQUAR.exe
ESCANHNT.exe
ATUPDATER.exe
AUPDATE.exe
AUTOTRACE.exe
AUTOUPDATE.exe
AVXQUAR.exe
AVWUPD32.exe
AVPUPD.exe
CFIAUDIT.exe
UPDATE.exe
NUPGRADE.exe
MCUPDATE.exe
pavsrv50.exe
AVENGINE.exe
APVXDWIN.exe
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.exe
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.exe
blackd.exe
bawindo.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.exe
UpdaterUI.exe

The worm opens random ports starting with 2339 (TCP) on the victim machine.

Symptoms

Unexpected ports (TCP) open on the victim machine

Outgoing messages matching the described characteristics

Files/Registry keys as described

Method of Infection

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

Peer To Peer Propagation

Files are created in folders that contain the phrase shar :

1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

Remote Access Component

The virus listens on random TCP ports, for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a JPG file (error.jpg) on the remote sites.

http://www.pyrlandia-boogie.pl
http://www.kps4parents.com
http://www.pipni.cz
http://www.selu.edu
http://www.travelchronic.de
http://www.fleigutaetscher.ch
http://www.irakli.org
http://www.oboe-online.com
http://www.pe-sh.com
http://www.idb-group.net
http://www.ceskyhosting.cz
http://www.hartacorporation.com
http://www.glass.la
http://www.24-7-transportation.com
http://www.fepese.ufsc.br
http://www.ellarouge.com.au
http://www.bbsh.org
http://www.boneheadmusic.com
http://www.sljinc.com
http://www.tivogoddess.com
http://www.fcpages.com
http://www.szantomierz.art.pl
http://www.elenalazar.com
http://www.generationnow.net
http://www.flashcorp.com
http://www.kencorbett.com
http://www.FritoPie.NET
http://www.leonhendrix.com
http://www.transportation.gov.bh
http://www.jhaforpresident.7p.com
http://www.DarrkSydebaby.com
http://www.cntv.info
http://www.sugardas.lt
http://www.adhdtests.com
http://www.argontech.net
http://www.customloyal.com
http://www.ohiolimo.com
http://www.topko.sk
http://www.ssmifc.ca
http://www.reliance-yachts.com
http://www.worest.com.ar
http://www.kps4parents.com
http://www.coolfreepages.com
http://www.scanex-medical.fi
http://www.jimvann.com
http://www.orari.net
http://www.himpsi.org
http://www.mtfdesign.com
http://www.jldr.ca
http://www.relocationflorida.com
http://www.rentalstation.com
http://www.approved1stmortgage.com
http://www.velezcourtesymanagement.com
http://www.sunassetholdings.com
http://www.compsolutionstore.com
http://www.uhcc.com
http://www.justrepublicans.com
http://www.pfadfinder-leobersdorf.com
http://www.featech.com
http://www.vinirforge.com
http://www.magicbottle.com.tw
http://www.giantrevenue.com
http://www.couponcapital.net
http://www.crystalrose.ca
http://www.bottombouncer.com
http://www.anthonyflanagan.com
http://www.bradster.com
http://www.traverse.com
http://www.ims-i.com
http://www.realgps.com
http://www.aviation-center.de
http://www.gci-bln.de
http://www.pankration.com
http://www.jansenboiler.com
http://www.corpsite.com
http://www.everett.wednet.edu
http://www.onepositiveplace.org
http://www.raecoinc.com
http://www.wwwebad.com
http://www.corpsite.com
http://www.wwwebmaster.com
http://www.wwwebad.com
http://www.dragcar.com
http://www.wwwebad.com
http://www.oohlala-kirkland.com
http://www.calderwoodinn.com
http://www.buddyboymusic.com
http://www.smacgreetings.com
http://www.tkd2xcell.com
http://www.curtmarsh.com
http://www.dontbeaweekendparent.com
http://www.soloconsulting.com
http://www.lasermach.com
http://www.alupass.lu
http://www.sigi.lu
http://www.redlightpictures.com
http://www.irinaswelt.de
http://www.bueroservice-it.de
http://www.kranenberg.de
http://www.the-fabulous-lions.de
http://www.mongolische-renner.de
http://www.capri-frames.de
http://www.aimcenter.net
http://www.boneheadmusic.com
http://www.fludir.is
http://www.sljinc.com
http://www.tivogoddess.com
http://www.fcpages.com
http://www.andara.com
http://www.freeservers.com
http://www.programmierung2000.de
http://www.asianfestival.nl
http://www.aviation-center.de
http://www.gci-bln.de
http://www.mass-i.kiev.ua
http://www.jasnet.pl
http://www.atlantisteste.hpg.com.br
http://www.fludir.is
http://www.rieraquadros.com.br
http://www.metal.pl
http://www.handsforhealth.com
http://www.angelartsanctuary.com
http://www.firstnightoceancounty.org
http://www.chinasenfa.com
http://www.ulpiano.org
http://www.gamp.pl
http://www.vikingpc.pl
http://www.woundedshepherds.com
http://www.cpc.adv.br
http://www.velocityprint.com
http://www.esperanzaparalafamilia.com
http://www.celula.com.mx
http://www.mexis.com
http://www.wecompete.com
http://www.vbw.info
http://www.gfn.org
http://www.aegee.org
http://www.deadrobot.com
http://www.cscliberec.cz
http://www.ecofotos.com.br
http://www.amanit.ru
http://www.bga-gsm.ru
http://www.innnewport.com
http://www.knicks.nl
http://www.srg-neuburg.de
http://www.mepmh.de
http://www.mepbisu.de
http://www.kradtraining.de
http://www.polizeimotorrad.de
http://www.sea.bz.it
http://www.uslungiarue.it
http://www.gcnet.ru
http://www.aimcenter.net
http://www.vandermost.de
http://www.szantomierz.art.pl
http://www.immonaut.sk
http://www.eurostavba.sk
http://www.spadochron.pl

Removal

All Users :
The specified engine and DAT files were released early for this threat.

Additional Windows ME/XP removal considerations

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
Delete the files following from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
sysformat.exe
sysformat.exeopen
sysformat.exeopenopen
Edit the registry
- Delete the "Sysformat" value from
  - HKEY_CURRENT_USER\Software\Microsoft\
    Windows\CurrentVersion\Run
Reboot the system into Default Mode

McAfee Intrushield
An IntruShield User-Defined Signature (UDS) has been created to detect this threat and is available for download at:

https://mysupport.nai.com/
Knowledgebase Article KB38001

Please note: The above knowledgebase article is password protected and requires your to log into Service Portal before accessing it.

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

-- Update 27th January 2005 13:00 PST --

This variant is very similar to the W32/Bagle.bj@MM variant which has had its risk assessment raised to medium.

The 4423 DATs that will be released early for this threat will include detection and cleaning for this W32/Bagle.bk@MM variant as well.

This is a mass-mailing worm with the following characteristics:

contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
contains a remote access component (notification is sent to hacker)
copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

Mail Propagation

The details are as follows:

From : (address is spoofed)
Subject :

Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active

Body Text:

Thanks for use of our software.
Before use read the help

Attachment: (may be one of the following, with an extension of .exe, .scr, .com, or .cpl)

wsd01
viupd02
siupd02
guupd02
zupd02
upd02
Jol03

The virus copies itself into the Windows System directory as sysformat.exe. For example:

C:\WINNT\SYSTEM32\sysformat.exe

It also creates other files in this directory to perform its functions:

C:\WINNT\SYSTEM32\sysformat.exeopen
C:\WINNT\SYSTEM32\sysformat.exeopenopen

The following Registry key is added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "sysformat" = C:\WINNT\SYSTEM32\sysformat.exe

Additionally, the following Registry keys are added:

HKEY_CURRENT_USER\Software\Microsoft\Params "riga"

It deletes these values

"My AV"
"ICQ Net"

from the following Registry keys, if they are present:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

This worm attempts to terminate the process of security programs with the the following filenames:

mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.exe
ccPxySvc.exe
navapsvc.exe
NPROTECT.exe
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.exe
ATUPDATER.exe
LUALL.exe
DRWEBUPW.exe
AUTODOWN.exe
NUPGRADE.exe
OUTPOST.exe
ICSSUPPNT.exe
ICSUPP95.exe
ESCANH95.exe
AVXQUAR.exe
ESCANHNT.exe
ATUPDATER.exe
AUPDATE.exe
AUTOTRACE.exe
AUTOUPDATE.exe
AVXQUAR.exe
AVWUPD32.exe
AVPUPD.exe
CFIAUDIT.exe
UPDATE.exe
NUPGRADE.exe
MCUPDATE.exe
pavsrv50.exe
AVENGINE.exe
APVXDWIN.exe
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.exe
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.exe
blackd.exe
bawindo.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.exe
UpdaterUI.exe

The worm opens random ports starting with 2339 (TCP) on the victim machine.

Symptoms

Symptoms -

Unexpected ports (TCP) open on the victim machine

Outgoing messages matching the described characteristics

Files/Registry keys as described

Method of Infection

Method of Infection -

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

Peer To Peer Propagation

Files are created in folders that contain the phrase shar :

1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

Remote Access Component

http://www.pyrlandia-boogie.pl
http://www.kps4parents.com
http://www.pipni.cz
http://www.selu.edu
http://www.travelchronic.de
http://www.fleigutaetscher.ch
http://www.irakli.org
http://www.oboe-online.com
http://www.pe-sh.com
http://www.idb-group.net
http://www.ceskyhosting.cz
http://www.hartacorporation.com
http://www.glass.la
http://www.24-7-transportation.com
http://www.fepese.ufsc.br
http://www.ellarouge.com.au
http://www.bbsh.org
http://www.boneheadmusic.com
http://www.sljinc.com
http://www.tivogoddess.com
http://www.fcpages.com
http://www.szantomierz.art.pl
http://www.elenalazar.com
http://www.generationnow.net
http://www.flashcorp.com
http://www.kencorbett.com
http://www.FritoPie.NET
http://www.leonhendrix.com
http://www.transportation.gov.bh
http://www.jhaforpresident.7p.com
http://www.DarrkSydebaby.com
http://www.cntv.info
http://www.sugardas.lt
http://www.adhdtests.com
http://www.argontech.net
http://www.customloyal.com
http://www.ohiolimo.com
http://www.topko.sk
http://www.ssmifc.ca
http://www.reliance-yachts.com
http://www.worest.com.ar
http://www.kps4parents.com
http://www.coolfreepages.com
http://www.scanex-medical.fi
http://www.jimvann.com
http://www.orari.net
http://www.himpsi.org
http://www.mtfdesign.com
http://www.jldr.ca
http://www.relocationflorida.com
http://www.rentalstation.com
http://www.approved1stmortgage.com
http://www.velezcourtesymanagement.com
http://www.sunassetholdings.com
http://www.compsolutionstore.com
http://www.uhcc.com
http://www.justrepublicans.com
http://www.pfadfinder-leobersdorf.com
http://www.featech.com
http://www.vinirforge.com
http://www.magicbottle.com.tw
http://www.giantrevenue.com
http://www.couponcapital.net
http://www.crystalrose.ca
http://www.bottombouncer.com
http://www.anthonyflanagan.com
http://www.bradster.com
http://www.traverse.com
http://www.ims-i.com
http://www.realgps.com
http://www.aviation-center.de
http://www.gci-bln.de
http://www.pankration.com
http://www.jansenboiler.com
http://www.corpsite.com
http://www.everett.wednet.edu
http://www.onepositiveplace.org
http://www.raecoinc.com
http://www.wwwebad.com
http://www.corpsite.com
http://www.wwwebmaster.com
http://www.wwwebad.com
http://www.dragcar.com
http://www.wwwebad.com
http://www.oohlala-kirkland.com
http://www.calderwoodinn.com
http://www.buddyboymusic.com
http://www.smacgreetings.com
http://www.tkd2xcell.com
http://www.curtmarsh.com
http://www.dontbeaweekendparent.com
http://www.soloconsulting.com
http://www.lasermach.com
http://www.alupass.lu
http://www.sigi.lu
http://www.redlightpictures.com
http://www.irinaswelt.de
http://www.bueroservice-it.de
http://www.kranenberg.de
http://www.the-fabulous-lions.de
http://www.mongolische-renner.de
http://www.capri-frames.de
http://www.aimcenter.net
http://www.boneheadmusic.com
http://www.fludir.is
http://www.sljinc.com
http://www.tivogoddess.com
http://www.fcpages.com
http://www.andara.com
http://www.freeservers.com
http://www.programmierung2000.de
http://www.asianfestival.nl
http://www.aviation-center.de
http://www.gci-bln.de
http://www.mass-i.kiev.ua
http://www.jasnet.pl
http://www.atlantisteste.hpg.com.br
http://www.fludir.is
http://www.rieraquadros.com.br
http://www.metal.pl
http://www.handsforhealth.com
http://www.angelartsanctuary.com
http://www.firstnightoceancounty.org
http://www.chinasenfa.com
http://www.ulpiano.org
http://www.gamp.pl
http://www.vikingpc.pl
http://www.woundedshepherds.com
http://www.cpc.adv.br
http://www.velocityprint.com
http://www.esperanzaparalafamilia.com
http://www.celula.com.mx
http://www.mexis.com
http://www.wecompete.com
http://www.vbw.info
http://www.gfn.org
http://www.aegee.org
http://www.deadrobot.com
http://www.cscliberec.cz
http://www.ecofotos.com.br
http://www.amanit.ru
http://www.bga-gsm.ru
http://www.innnewport.com
http://www.knicks.nl
http://www.srg-neuburg.de
http://www.mepmh.de
http://www.mepbisu.de
http://www.kradtraining.de
http://www.polizeimotorrad.de
http://www.sea.bz.it
http://www.uslungiarue.it
http://www.gcnet.ru
http://www.aimcenter.net
http://www.vandermost.de
http://www.szantomierz.art.pl
http://www.immonaut.sk
http://www.eurostavba.sk
http://www.spadochron.pl

Removal -

All Users :
The specified engine and DAT files were released early for this threat.

Additional Windows ME/XP removal considerations

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
Delete the files following from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
sysformat.exe
sysformat.exeopen
sysformat.exeopenopen
Edit the registry
- Delete the "Sysformat" value from
  - HKEY_CURRENT_USER\Software\Microsoft\
    Windows\CurrentVersion\Run
Reboot the system into Default Mode

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Global Sites

Need Help?

Threat Center

Segment Navigation

Section Navigation

Content

W32/Bagle.bk@MM

Risk Assessment

Tab Navigation

Overview

Characteristics

Symptoms

Method of Infection

Removal

Variants

Variants

All Information

Overview -

Characteristics

Characteristics -

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Variants

Variants -

Threat Resources

Footer