English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Email-Worm.Win32.Bagle.fj

Detected Feb 07 2006 12:47 GMT
Released Jan 20 2010 17:08 GMT
Published Feb 07 2006 12:47 GMT

Manual description Auto description
This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details

This worm spreads via the Internet as an attachment to infected messages. It also spreads via file-sharing networks. It sends itself to email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file, between 16 and 20KB in size.

Installation

Once launched, the worm causes the default text editor (usually Notepad) to display an empty window.

When installing, the worm copies itself to the Windows system directory as "sysformat.exe":

%System%\sysformat.exe

It then registers itself in the system registry, ensuring that the worm will be launched each time Windows is rebooted on the victim machine:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"sysformat" = "%System%\sysformat.exe"

The worm also modifies the following system registry key in order to prevent the firewall in Windows XP from being functioning:

[HKLM\System\CurrentControlSet\Services\SharedAccess] "Start" = "4"

The worm also adds the following record to the system registry to flag the system as being infected:

[HKCU\Software\Microsoft\Params]
"FirstRun" = "01"

Propagation via email

The worm sends itself to email addresses harvested from files with the following extensions:

.adb 
.asp 
.cfg 
.cgi 
.dbx 
.dhtm 
.eml 
.htm 
.jsp
.mbx 
.mdx 
.mht 
.mmf 
.msg 
.nch 
.ods 
.oft 
.php 
.pl 
.sht 
.shtm 
.stm 
.tbb 
.txt 
.uin 
.wab 
.wsh 
.xls 
.xml

In order to send infected messages, the worm establishes a direct connection to the recipient's SMTP server.

The worm does not send messages to addresses which contain the following strings:

@avp. 
@foo 
@iana 
@messagelab 
@microsoft
abuse 
admin 
anyone@ 
bsd 
bugs@ 
cafee 
certific 
contract@ 
feste 
free-av 
f-secur 
gold-certs@ 
google 
help@ 
icrosoft 
info@ 
kasp 
linux 
listserv 
local 
news 
nobody@ 
noone@ 
noreply 
ntivi 
panda 
pgp 
postmaster@
rating@ 
root@ 
samples 
sopho 
spam 
support 
unix 
update 
winrar 
winzip

Infected messages

Example of an infected message:

Message subject (chosen at random from the list below):

Delivery by mail 
Delivery service mail 
February price
Is delivered mail
price 
Registration is accepted
You are made active

Message body (chosen at random from the list below):

Before use read the help 
February price
price
Thanks for use of our software.

Attachment name (chosen at random from the list below):

21_price.zip
February_price.zip
guupd02.zip
Jol03.zip
new_price.zip
price.zip
pricelist.zip
pricelst.zip
siupd02.zip
upd02.zip
viupd02.zip
wsd01.zip
zupd02.zip

The archive contains a copy of the worm and a text file which contains garbage text.

Propagation via P2P

The worm creates copies of itself in all subdirectories where the name contains the word "Shar". The copies are saved under names chosen from the following list:

1.exe 
10.exe 
2.exe 
3.exe 
4.exe 
5.scr 
6.exe 
7.exe 
8.exe 
9.exe 
ACDSee 9.exe 
Adobe Photoshop 9 full.exe 
Ahead Nero 7.exe 
Matrix 3 Revolution English Subtitles.exe 
Opera 8 New!.exe 
WinAmp 5 Pro Keygen Crack Update.exe 
WinAmp 6 New!.exe 
Windown Longhorn Beta Leak.exe 
XXX hardcore images.exe 

Payload

The worm contains a list of URLs which it checks for the presence of files. If a file is placed on one of these sites, the worm will download it to the victim machine and launch it for execution. The list of URLs is as follows:

http://www.alexandriaradiology.com
http://www.algor.com
http://www.belwue.de
http://www.booksbyhunter.com
http://www.campus-and-more.com
http://www.capitalforex.com
http://www.capitalspreadspromo.com
http://www.casinobrillen.de
http://www.casinofunnights.com
http://www.cnsrvr.com
http://www.coupdepinceau.com
http://www.crazyiron.ru
http://www.curious.be
http://www.databoots.de
http://www.digitalefoto.net
http://www.duodaydream.nl
http://www.ec.cox-wacotrib.com
http://www.emarrynet.com
http://www.erotologist.com
http://www.eversetic.com
http://www.ezybidz.com
http://www.fachman.com
http://www.finlaw.ru
http://www.fitdina.com
http://www.flashcardplayer.com
http://www.flox-avant.ru
http://www.forumgestionvilles.com
http://www.gaspekas.com
http://www.genesisfinancialonline.com
http://www.georg-kuenzle.ch
http://www.girardelli.com
http://www.golden-gross.ru
http://www.gregoryolson.com
http://www.gtechna.com
http://www.harmony-farms.net
http://www.hftmusic.com
http://www.hiwmreport.com
http://www.horizonimagingllc.com
http://www.hotelbus.de
http://www.houstonzoo.org
http://www.howiwinmoney.com
http://www.iesgrantarajal.org
http://www.ietcn.com
http://www.import-world.com
http://www.imspress.com
http://www.internalcardreaders.com
http://www.interorient.ru
http://www.interstrom.ru
http://www.iutoledo.org
http://www.jackstitt.com
http://www.josemarimuro.com
http://www.kameo-bijux.ru
http://www.karrad6000.ru
http://www.kaztransformator.kz
http://www.keywordthief.com
http://www.kyno.cz
http://www.lotslink.com
http://www.lunardi.com
http://www.lxlight.com
http://www.newportsystemsusa.com
http://www.njzt.net
http://www.posteffects.com
http://www.prineus.de
http://www.provax.sk
http://www.q-serwer.net
http://www.rodoslovia.ru
http://www.sgmisburg.de
http://www.sorisem.net
http://www.steintrade.net
http://www.thetildegroup.com
http://www.uni-esma.de
http://www.varc.lv
http://www.vybercz.cz
http://www.wellness-i.com
http://www.wena.net
http://www.westcoastcadd.com
http://www.wing49.cz
http://www.wxcsxy.com
http://www.yili-lighting.com
http://www.zebrachina.net

The worm also terminates processes if the names contain one of the following strings:

alogserv.exe
APVXDWIN.EXE
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
Avconsol.exe
AVENGINE.EXE
AVPUPD.EXE
Avsynmgr.exe
AVWUPD32.EXE
AVXQUAR.EXE
AVXQUAR.EXE
bawindo.exe
blackd.exe
ccApp.exe
ccEvtMgr.exe
ccProxy.exe
ccPxySvc.exe
CFIAUDIT.EXE
DefWatch.exe
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
FrameworkService.exe
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
LUCOMS~1.EXE
mcagent.exe
mcshield.exe
MCUPDATE.EXE
mcvsescn.exe
mcvsrte.exe
mcvsshld.exe
navapsvc.exe
navapsvc.exe
navapsvc.exe
navapw32.exe
NISUM.EXE
nopdb.exe
NPROTECT.EXE
NPROTECT.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
PavFires.exe
pavProxy.exe
pavsrv50.exe
Rtvscan.exe
RuLaunch.exe
SAVScan.exe
SHSTAT.EXE
SNDSrvc.exe
symlcsvc.exe
UPDATE.EXE
UpdaterUI.exe
Vshwin32.exe
VsStat.exe
VsTskMgr.exe

The worm modifies the "%System%\drivers\etc\hosts" file by adding the text below. This means that the sites listed below cannot be visited from the victim machine.

127.0.0.1 localhost
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fastclick.net
127.0.0.1 ads.fastclick.net
127.0.0.1 ar.atwola.com
127.0.0.1 atdmt.com
127.0.0.1 avp.ch
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 awaps.net
127.0.0.1 banner.fastclick.net
127.0.0.1 banners.fastclick.net
127.0.0.1 ca.com
127.0.0.1 click.atdmt.com
127.0.0.1 clicks.atdmt.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 engine.awaps.net
127.0.0.1 fastclick.net
127.0.0.1 f-secure.com
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 go.microsoft.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 media.fastclick.net
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 office.microsoft.com
127.0.0.1 phx.corporate-ir.net
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 spd.atdmt.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.ru
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.ch
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.ru
127.0.0.1 www3.ca.com

The worm also deletes the following system registry keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"My AV"
"ICQ Net"

Bookmark and Share
Share
Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).

In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.

Email-Worms use a range of methods to send infected emails. The most common are:

  • using a direct connection to a SMTP server using the email directory built into the worm’s code
  • using MS Outlook services
  • using Windows MAPI functions.

Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:

  • the address book in MS Outlook
  • a WAB address database
  • .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
  • emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)

Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.


Other versions

Aliases

Email-Worm.Win32.Bagle.fj (Kaspersky Lab) is also known as:

  • Virus: W32/Bagle.dp!M328 (McAfee)
  • W32/Bagle-CH (Sophos)
  • Worm.Bagle.CP (ClamAV)
  • W32/Bagle.GS.worm!CME-328 (Panda)
  • W32/Bagle.DW@mm (FPROT)
  • Worm:Win32/Bagle.X@mm (MS(OneCare))
  • Win32.HLLM.Beagle.19829 (DrWeb)
  • Win32/Bagle.FA worm (Nod32)
  • Win32.Worm.Bagle.FJ (BitDef7)
  • I-Worm.Bagle.GJ (VirusBuster)
  • Win32:Beagle-HZ [Wrm] (AVAST)
  • Email-Worm.Win32.Bagle (Ikarus)
  • WORM/Bagle.FI (AVIRA)
  • W32.Beagle.DL@mm (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Trojan.Patched.a (Rising)
  • WORM_BAGLE.CL (TrendMicro)
  • I-Worm.Bagle.GJ (VirusBusterBeta)