Bagle.al is a worm that spreads as an email attachment and via file
sharing networks.
The worm is written in Assembler and packed with winzip.
Bagle.al is made up of 2 main components:
- A ZIP file spreading as an email attachment;
- the body of the worm, which is downloaded from specified websites.
Payload
The ZIP file containing the downloader is 5932 bytes in size and contains
two files:
price.html
price\price.exe
The file price.html contains a malicious script named exploit.CodeBaseExec, which automatically launches price.exe.
Price.exe is a Trojan dropper designed to install the downloader that will
in turn download the body of the worm onto the victim machine. The dropper is 14848 bytes.
After it is launched, the dropper copies itself into the Windows system directory under the
name windirect.exe and creates the following system registry auto run key:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"win_upd2.exe"="%system%\windirect.exe"
It then extracts and saves the downloader in the Windows system directory
under the name dll.exe and launches the downloader (the dll file is 11776 bytes).
The dll file stops the following processes:
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
sys_xp.exe
sysxp.exe
UPDATE.EXE
winxp.exe
Finally, the downloader attempts to download the body of the worm from one
of the web sites listed in the dll files. If the worm is successfully downloaded, the Trojan
launches it.
The worm component
Bagle.al is based on the source codes spread by Bagle.aa and is 19460
bytes in size.
Installation
Once Bagle.al is launched by the downloader component, it copies itself
into the Windows system directory with the name windll.exe and registers the following system
registry auto run key:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"erthgdr"="%system%\windll.exe"
Bagle.al creates two additional files in the Windows system folder:
windll.exeopen
windll.exeopenopen
Propagation via email
Bagle.al scans the hard drive for files with the following extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
|
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml
|
The worm uses a built-in SMTP server to mail copies of itself to all email
addresses harvested from these files.
Infected emails
Subject:
none
Message body:
new price
price
The text is presented as an HTML page.
Attachment name (one of the below, chosen at random):
08_price.zip
new__price.zip
new_price.zip
newprice.zip
price.zip
price_08.zip
price_new.zip
price2.zip
Bagle.al can spread as a password protected ZIP file, in which case the
password will be included in the body of the letter either in text or graphic form.
Bagle.al will not send infected emails to recipients when the address
contains any of the following text strings:
@avp.
@derewrdgrs
@eerswqe
@foo
@iana
@messagelab
@microsoft
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
|
feste
free-av
f-secur
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
|
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip
|
Propagation via P2P
Bagle.al scans the hard drive for files containing the text string 'shar'
copies itself into all of these under the following names:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Remote administration
Bagle.al opens port 80 on the local HTTP server allowing the controller
to download and execute files on the infected machine.
Other
The worm component of Bagle.al is scheduled to stop functioning and
slef-destruct after August 10, 2004. However, the downloader module will remain available
for possible use for an unspecified time.
Check out if we have free
removal tool for this virus
