Email-Worm.Win32.Bagle.fm

Technical Details

This worm spreads via the Internet as an attachment to infected messages. It also spreads via file-sharing networks. It sends itself to email addresses harvested from the victim machine.

The worm has backdoor functionality. It is also able to download other files from the Internet without the knowledge or consent of the user.

The worm itself is a PE EXE file approximately 26KB in size.

Installation

Once launched, the worm causes the following error message to be displayed:

During installation, the worm copies itself to the Windows system directory under the following names:

%System%\regmaping.exe
%System%\regmaping.exeopen
%System%\regmaping.exeopenopen

The worm then registers itself in the system registry, ensuring that it will be launched each time Windows is rebooted on the victim machine:

The worm also creates a file named winresw.exe in the Windows root directory:

%Windir%\winresw.exe

This file is the worm's Trojan component which downloads other files from the Internet without the user's knowledge.

Propagation via email

The worm sends itself to email addresses harvested from files with the extensions listed below:

adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml

When sending infected messages, the worm establishes a direct connection to the recipient's SMTP server.

The worm does not send itself to addresses which contain the strings listed below:

@avp.
@foo
@hotmail
@iana
@messagelab
@microsoft
@msn
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
feste
free-av
f-secur
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip

Infected messages

Example

Message subject (chosen from the list below):

• Your Receipt <random number>--<random number>
• Order reminder: ID <random number>
• Billing department, order <random number>--<random number>

Message body (chosen from the list below):

• Dear Sir or Madam,

  This notification is just a friendly reminder (not a bill or a second charge) that on 15-JAN-06, you placed an order from Symantec Store. This order was paid using your Visa, whose last 4 digits are ************2346, and will be appearing on your billing statement shortly. The charge will appear as DR *Symantec. This is just a reminder to help you recognize the charge. You will not be charged again.

  You antivirus definition file is attached to this email, please install it to be perfectly protected from the latest viruses and other internet threats.

• Details about your reciept attached with this email. You have to use Adobe Acrobat Reader to open it.

  Transaction Number: <random number>

  This is your receipt for your $1490 purchase of a 1.0 months
  subscription which will appear on your statement as <random number>.
  Your membership will automatically renew per the terms and conditions.

  Should you ever have any
  problems whatsoever, please don't hesitate to contact our live technical support staff - available 24 hours a day 7 days a week. We can be reached by phone toll free in the US at 800-***-8593. Rather use email?
  Drop us a line at bill@gmail.com and we'll always get back to you within an hour.

  Enjoy the service!
  Support

• Your email <recipient's address> has exceeded its
  bandwidth quota in the period beginning on 2006-01-01.
  Your quota is set to 10485760 bytes (10.0 MB), and
  your email has consumed 559189702 bytes (533.285 MB) beyond that quota.

  Our over-bandwidth charges are
  Additional Bandwidth/Month Monthly Cost
  100 Mb $200.00
  200 MB $360.00
  300 MB $480.00
  400 MB $624.00
  500 Mb $740.00 <- your over-usage
  600 Mb $850.00

  Our automatically generated bill is attached with this email.

  Sincerely,
  Sales Manager.

Attachment name (chosen from the list below):

• Generated_bill.exe
• Order_details.exe
• Service_receipt.exe

The attachment may contain a text file called Description.txt, which contains the following text:

Order attach

Propogation via P2P

The worm creates copies of itself in all subdirectories which have the word "Shar" in the name. The copies are saved under names chosen from the list below:

• Adobe Photoshop 9 full.exe
• Ahead Nero 10.exe
• anna benson sex video.exe
• barrett jackson nude photos, movies, porn video.exe
• Britney Spears sex photos.exe
• IE beta 7.exe
• jenna elfman sex anal deepthroat
• kate beckinsale nude pictures.exe
• miss america Porno, sex, oral, anal cool, awesome!!.exe
• paris hilton Porno pics arhive, xxx.exe
• Porno Screensaver.scr
• Serials 2005 database.exe
• Serials.txt.exe
• Windown Vista Beta Leak.exe
• Windows Sourcecode update.doc.exe
• XXX hardcore images.exe

Remote administration

The worm opens TCP port 6777 to listen for commands.

Other

The winresw.exe component created by the worm contains a list of URLs which the worm checks for the presence of files. If a file is placed on one of these URLs, the worm will download it to the victim machine, and launch it for execution.

The worm may download updates to itself, or other malicious programs from these URLs.

The worm deletes the following records from the system registry:

The worm body contains the following strings: