English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Email-Worm.Win32.Bagle.gt

Detected May 11 2007 09:19 GMT
Released May 29 2007 09:37 GMT
Published May 11 2007 09:19 GMT

Technical Details
Payload
Removal instructions

Technical Details

This worm spreads via the Internet as an attachment to infected messages. Infected messages will be sent to all email addresses harvested from the victim machine.

The worm is also able to download other files from the Internet without the knowledge or consent of the user.

The worm itself is a PE EXE file. The file is 40,565 bytes in size.

Installation

During installation, the worm creates the following hidden file:

%Documents and Settings%\Application Data\hidn

It then copies its body to this folder under the following names:

%Documents and Settings%\Application Data\hidn\hidn2.exe
%Documents and Settings%\Application Data\hidn\hldrrr.exe

The worm also adds a link to its executable file in the system registry, ensuring that it will be launched when Windows is rebooted on the victim machine:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"drv_st_key" = "%Documents and Settings%\Application Data\hidn\hidn2.exe"

The worm deletes the following registry key, making it impossible to boot the infected computer in Safe Mode:

[HKLM\System\CurrentControlSet\Control\SafeBoot]

Propagation via email

The worm scans all hard disk partitions for files with the following extensions. Email addresses will be harvested from these files.

.adb 
.asp 
.cfg 
.cgi 
.dbx 
.dhtm 
.eml 
.htm 
.jsp
.mbx 
.mdx 
.mht 
.mmf 
.msg 
.nch 
.ods 
.oft 
.php 
.pl 
.sht 
.shtm 
.stm 
.tbb 
.txt 
.uin 
.wab 
.wsh 
.xls 
.xml

The worm is also able to download files from the Internet which contain email addresses. It will download such files from the following links:

http://acce***le.cl/1/eml.php
http://am***dy.com/1/eml.php
http://avatare***atis.com/1/eml.php
http://be***lu.com.tr/1/eml.php
http://brand***ck.com/1/eml.php
http://c-***.com.au/1/eml.php
http://cam***mafra.sc.gov.br/1/eml.php
http://campos***ipamentos.com.br/1/eml.php
http://cbr***o.sos.pl/1/eml.php
http://coparefre***s.stantonstreetgroup.com/1/eml.php
http://creai***ire.com/1/eml.php
http://dese***i.com.br/1/eml.php
http://hotel***lba.com/1/eml.php
http://inca.d***solution.net/1/eml.php
http://veranm***ala.com/1/eml.php
http://wkligh***azwa.pl/1/eml.php
http://www.***npl.com/1/eml.php
http://www.aura***.com/1/eml.php
http://www.buy***ital.co.kr/1/eml.php
http://www.d***.cl/1/eml.php
http://www.disco***apuzzle.com/1/eml.php
http://www.in***file.gr/1/eml.php
http://www.tita***tors.com/images/1/eml.php
http://yon***n24.co.kr/1/eml.php

A file downloaded from these links will be saved to the Windows temporary directory:

%WinDir%\elist.xpt

The worm sends itself to all email addresses in the downloaded file.

The worm will not send itself to email addresses which contain the following strings:

@avp. 
@foo 
@iana 
@messagelab 
abuse 
admin 
anyone@ 
bsd 
bugs@ 
cafee 
certific 
contract@ 
feste 
free-av 
f-secur 
gold-certs@ 
google 
help@ 
icrosoft 
info@ 
kasp 
linux 
listserv 
local 
news 
nobody@ 
noone@ 
noreply 
ntivi 
panda 
pgp 
postmaster@
rating@ 
root@ 
samples 
sopho 
spam 
support 
unix 
update 
winrar 
winzip

The worm uses its own SMTP engine to send infected messages.

Infected messages:

Attachment name (chosen at random from the list below):

latest_price.zip
new_price.zip
price.zip

Payload

The worm contains a list of URLs, which will be checked for the presence of files:

http://5050clothing.com***
http://axelero.hu***
http://calamarco.com***
http://ceramax.co.kr***
http://charlesspaans.com***
http://chatsk.wz.cz***
http://checkalertusa.com***
http://cibernegocios.com.ar***
http://cof666.shockonline.net***
http://comaxtechnologies.net***
http://concellodesandias.com***
http://dev.jintek.com***
http://dogoodesign.ch***
http://donchef.com***
http://erich-kaestner-schule-donaueschingen.de***
http://foxvcoin.com***
http://grupdogus.de***
http://hotchillishop.de***
http://ilikesimple.com***
http://innovation.ojom.net***
http://kisalfold.com***
http://knickimbit.de***
http://kremz.ru***
http://massgroup.de***
http://poliklinika-vajnorska.sk***
http://prime.gushi.org***
http://svatba.viskot.cz***
http://systemforex.de***
http://uwua132.org***
http://vanvakfi.com***
http://vega-sps.com***
http://vidus.ru***
http://viralstrategies.com***
http://Vivamodelhobby.com***
http://vkinfotech.com***
http://vproinc.com***
http://v-v-kopretiny.ic.cz***
http://vytukas.com***
http://waisenhaus-kenya.ch***
http://watsrisuphan.org***
http://wbecanada.com***
http://web-comp.hu***
http://webfull.com***
http://welvo.com***
http://wvpilots.org***
http://www.ag.ohio-state.edu***
http://www.ag.ohio-state.edu***
http://www.chapisteriadaniel.com***
http://www.chittychat.com***
http://www.cort.ru***
http://www.crfj.com***
http://www.kersten.de***
http://www.kljbwadersloh.de***
http://www.voov.de***
http://www.walsch.de***
http://www.wchat.cz***
http://www.wg-aufbau-bautzen.de***
http://www.wzhuate.com***
http://xotravel.ru***
http://yeniguntugla.com***
http://zebrachina.net***
http://zsnabreznaknm.sk***

If a file is found at any of these addresses, it will be downloaded to the victim machine:

%System%\re_file.exe

The file will then be launched for execution.


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the process associated with the original worm file.
  2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following folder and its contents:
    %Documents and Settings%\Application Data\hidn
  4. Delete the following parameters from the system registry (see What is a system registry and how do I use it for details on how to edit the registry).
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "drv_st_key" = "%Documents and Settings%\Application Data\hidn\hidn2.exe"
  5. Delete the following files:
    %System%\re_file.exe
    %WinDir%\elist.xpt
  6. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Bookmark and Share
Share
Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).

In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.

Email-Worms use a range of methods to send infected emails. The most common are:

  • using a direct connection to a SMTP server using the email directory built into the worm’s code
  • using MS Outlook services
  • using Windows MAPI functions.

Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:

  • the address book in MS Outlook
  • a WAB address database
  • .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
  • emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)

Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.


Other versions

Aliases

Email-Worm.Win32.Bagle.gt (Kaspersky Lab) is also known as:

  • Virus: W32/Bagle.gen (McAfee)
  • W32/Bagle-QW (Sophos)
  • W32/Bagle-RC (Sophos)
  • Worm.Bagle (ClamAV)
  • W32/Bagle.RC.worm (Panda)
  • W32/Mitglieder.UZ (FPROT)
  • Worm:Win32/Bagle.gen!B (MS(OneCare))
  • Win32.HLLM.Beagle (DrWeb)
  • Win32/Bagle.HE worm (Nod32)
  • Win32.Bagle.1497 (BitDef7)
  • I-Worm.Bagle.LC (VirusBuster)
  • Win32:Beagle-AHY [Wrm] (AVAST)
  • Email-Worm.Win32.Bagle (Ikarus)
  • I-Worm/Bagle (AVG)
  • bracohut.exe <<< TR/Bagle.GD (AVIRA)
  • TR/Bagle.GD (AVIRA)
  • Trojan.Tooso.R (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • W32/Bagle.gen (NAI)
  • WORM_BAGLE.JG (PCCIL)
  • Worm.Mail.Bagle.pji (Rising)
  • WORM_BAGLE.JG (TrendMicro)
  • Email-Worm.Win32.Bagle.gen (v) (Sunbelt)
  • I-Worm.Bagle.LC (VirusBusterBeta)