Threat behavior
Win32/Bagle.BA@mm!CME-477 is a mass-mailing worm that spreads by sending itself via email and also by copying itself to folders containing the string 'shar' in the folder name. When a file infected with Win32/Bagle.BA@mm!CME-477 is opened, it takes the following actions:
-
Drops itself to <system folder>\winhost.exe and runs this copy of the worm
-
Downloads files from two remote websites and saves those files to %windir%\test.exe
-
Drops multiple copies of itself to any folder containing the string "shar" in the folder name. Dropped copies may be named any of the following:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr',0
Serials.txt<empty spaces>.exe
text.txt<empty spaces>.exe
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc<empty spaces>.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
New document.doc<empty spaces>.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
hardcore arhive.exe
install.exe
important.exe
important update.exe
update.exe
patch.exe
New patch.exe
setup.exe
message.msg<empty spaces>.exe
Adds value: "winhost.exe"
With data: "%System%\winhost.exe"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"Port" = "dword:0x00002346"
"Pid" = ""
"Uid" = ""
Where the UID and PID change from infection to infection
.wab
.txt
.msg
.htm
.html
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp
virus
norton
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
Subject (any of the following):
-
Re: Msg reply
-
Re: Hello
-
Re:
- Re: Yahoo!
- Re: Thank you!
- Re: Thanks :)
- RE: Text message
- Re: Document
- Incoming message
- Re: Incoming Message
- RE: Incoming Msg
- RE: Message Notify
- Notification
- Changes..
- Update
- Fax Message
- Protected message
- RE: Protected message
- Forum notify
- Site changes
- Re: Hi
- Encrypted document
Message Body (any of the following):
- Read the attach.
- Your file is attached.
- Try this.
- More info is in attach
- See attach.
- Please, have a look at the attached file.
- Your document is attached.
- Please, read the document.
- Attach tells everything.
- Attached file tells everything.
- Check attached file for details.
- Check attached file.
- Pay attention at the attach.
- See the attached file for details.
- Message is in attach
- Here is the file.
- For security reasons attached file is password protected. The password is <image>
- For security purposes the attached file is password protected. Password -- <image>
- Note: Use password <image> to open archive.
- Attached file is protected with the password for security reasons. Password is <image>
- In order to read the attach you have to use the following password: <image>
- Archive password: <image>
- Password - <image>
- Password: <image>
Attachment (any of the following):
Information.exe
Details.exe
text_document.exe
Updates.exe
Readme.exe
Document.exe
Info.exe
Details.exe
MoreInfo.exe
Message.exe
Prevention