Bagle.at is a worm that spreads as an attachment to an infected email.
The worm harvests addresses from the local address book and installs a proxy server.
Bagle.at spreads either as Windows PE EXE file or a Windows Control Panel
Applet (CPL) file, both about 20 KB in size. The worm is packed with PeX; the unpacked size
is about 30 KB.
Installation
When spreading as a Windows PE EXE file, Bagle.at creates copies of itself
under one of the following names:
C:\WINDOWS\SYSTEM32\wingo.exe
C:\WINDOWS\SYSTEM32\wingo.exeopen
C:\WINDOWS\SYSTEM32\wingo.exeopenopen
And then registers this file in the System Registry autorun keys:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"wingo"="%system%\wingo.exe"
If Bagle.at arrives as a Windows Control Panel Applet (CPL) file, then it
is a dropper. If the file is executed it copies itself into the Windows folder under the
name cjector.exe. This file extracts the worm's body from itself and drops it into the
System Registry.
Propagation via email
Bagle.at scans the local disk for files with the following extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
|
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
|
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml
|
And sends copies of itself to any email addresses it finds. Bagle.at
connects to the recipients SMTP server to send emails.
Bagle.at does not send copies to recipients where the address contains the
following text strings:
@avp
@foo
@hotmail
@iana
@messagelab
@microsoft
@msn
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
|
feste
free-av
f-secur
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
|
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip
|
Infected Message Characteristics
Sender address:
Random
Subject:
Re:
Re: Hello
Re: Hi
Re: Thank you!
Re: Thanks :)
Attachment name:
Price
Joke
Attachment extensions:
com
cpl
exe
scr
Propagation via P2P
Bagle.at creates copies of itself in all folders where the word 'share' is in the name.
The file names are chosen at random from the list below:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Remote Administration
Bagle.at opens TCP port 81 and listens for further commands. For instance,
the worm installs a proxy server that can be controlled via this port.
Other
Bagle.at attempts to connect to a number of compromised web sites to a
file named g.jpg. The web sites were inaccessible at the time of writing.
The worm is coded to stop functioning on April 25, 2006.
Finally, Bagle.at attempts to block firewalls and antivirus solutions by
stopping the following processes :
alogserv.exe
APVXDWIN.EXE
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
Avconsol.exe
AVENGINE.EXE
AVPUPD.EXE
Avsynmgr.exe
AVWUPD32.EXE
AVXQUAR.EXE
AVXQUAR.EXE
bawindo.exe
blackd.exe
ccApp.exe
ccEvtMgr.exe
ccProxy.exe
ccPxySvc.exe
CFIAUDIT.EXE
DefWatch.exe
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
FrameworkService.exe
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
LUCOMS~1.EXE
|
mcagent.exe
mcshield.exe
MCUPDATE.EXE
mcvsescn.exe
mcvsrte.exe
mcvsshld.exe
navapsvc.exe
navapsvc.exe
navapsvc.exe
navapw32.exe
NISUM.EXE
nopdb.exe
NPROTECT.EXE
NPROTECT.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
PavFires.exe
pavProxy.exe
pavsrv50.exe
Rtvscan.exe
RuLaunch.exe
SAVScan.exe
SHSTAT.EXE
SNDSrvc.exe
symlcsvc.exe
UPDATE.EXE
UpdaterUI.exe
Vshwin32.exe
VsStat.exe
VsTskMgr.exe
|
Removal Instructions
- Reboot your machine in Safe Mode - Press and hold F8 while the machine is rebooting and choose Safe Mode from the menu when it appears.
- Delete the following files from Windows system folder:
wingo.exe
wingo.exeopen
wingo.exeopenopen
- Delete the following key from the Windows System Registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"wingo"="%system%\wingo.exe"
- Reboot the computer and make sure that you have removed all infected emails from all folders in your email client.
Check out if we have free
removal tool for this virus