W32/Bagle.N@mm

• Subject: (variable)
• Body: (variable)
• Attachment: (variable)

When executed, this virus will copy itself to the Windows System directory using the name WINUPD.EXE, and add a registry key to start from bootup.

Registry keys created by the virus:
HKCUSoftwareCurrentVersionMicrosoftWindows
   Run [random] = winupd.exe

Registry keys deleted by the virus:
Any HKCUSoftwareCurrentVersionMicrosoftWindowsRun
and
HKLMSoftwareCurrentVersionMicrosoftWindows
   Run entry containing any of the following strings: 

• "My AV" 
• "Zone Labs Client Ex" 
• "9XHtProtect" 
• "Antivirus" 
• "Special Firewall Service" 
• "service" 
• "Tiny AV" 
• "ICQNet" 
• "HtProtect" 
• "ICQ Net"

The virus traverses local and remote drives looking for email addresses in files of following type: 

• .wab 
• .txt 
• .msg 
• .htm 
• .shtm 
• .stm 
• .xml 
• .dbx 
• .mbx 
• .mdx 
• .eml 
• .nch 
• .mmf 
• .ods 
• .cfg 
• .asp 
• .php 
• .pl 
• .wsh 
• .adb 
• .tbb 
• .sht 
• .xls 
• .oft 
• .uin 
• .cgi 
• .mht 
• .dhtm 
• .jsp

It will avoid addresses containing the strings below:

• @hotmail.com 
• @msn 
• @microsoft 
• anyone@ 
• bugs@ 
• contract@ 
• feste 
• gold-certs@ 
• help@ 
• info@ 
• nobody@ 
• noone@ 
• rating@ 
• kasp 
• admin 
• icrosoft 
• support 
• ntivi 
• unix 
• bsd 
• linux 
• listserv 
• certific 
• samples 
• sopho 
• @foo 
• @iana 
• free-av 
• @messagelab 
• winzip 
• google 
• winrar 
• abuse 
• panda 
• cafee 
• spam 
• pgp 
• @avp.
• noreply 
• local 
• root@ 
• postmaster@ 
• f-secur

Spreading via network/file-sharing software

The virus copies itself into folders containing the string "shar" using the names below. Such folders will often belong to filesharing software, thus enabling the worm to spread via Kazaa, IMesh etc. 

• Microsoft Office 2003 Crack, Working!.exe 
• Microsoft Windows XP, WinXP Crack, working 
• Keygen.exe 
• Microsoft Office XP working Crack, Keygen.exe 
• Porno, sex, oral, anal cool, awesome!!.exe 
• Porno Screensaver.scr 
• Serials.txt.exe 
• Porno pics arhive, xxx.exe 
• Windows Sourcecode update.doc.exe 
• Ahead Nero 7.exe 
• Windown Longhorn Beta Leak.exe 
• Opera 8 New!.exe 
• XXX hardcore images.exe 
• WinAmp 6 New!.exe 
• WinAmp 5 Pro Keygen Crack Update.exe 
• Adobe Photoshop 9 full.exe 
• Matrix 3 Revolution English Subtitles.exe 
• ACDSee 9.exe

File infection

During the directory traversal, the virus also looks for and infects EXE files, which will grow by approximately 21kb. Infected files will, when run, extract, install and run the virus.

Email propagation

The virus may send itself as a password-protected archive attachment to mail. The password is, in contrast to previous variants, not mentioned in the mail as text, but is inserted as a picture in the mail. There are two main mail variants the virus sends.

Possible email composition, variant 1

1. Subject

• Re: Msg reply 
• Re: Hello 
• Re: Yahoo! 
• Re: Thank you! 
• Re: Thanks :) 
• RE: Text message 
• Re: Document 
• Incoming message 
• Re: Incoming Message 
• Re: Incoming Fax 
• Hidden message 
• Fax Message Received 
• Protected message 
• RE: Protected message 
• Forum notify 
• Request response 
• Site changes 
• Re: Hi 
• Encrypted document

2. Body text

• Read the attach. 
• Your file is attached. 
• More info in attach 
• See attach. 
• Follow the wabbit. 
• Find the white rabbit. 
• Please, have a look at the attached file. 
• See the attached file for details. 
• Message is in attach 
• Here is the file.

Possible email composition, variant 2

1. Subject

• E-mail account security warning. 
• Notify about using the e-mail account. 
• Warning about your e-mail account. 
• Important notify about your e-mail account. 
• Email account utilization warning. 
• E-mail technical support message. 
• E-mail technical support warning. 
• Email report 
• Important notify 
• Account notify 
• E-mail warning 
• Notify from e-mail technical support. 
• Notify about your e-mail account utilization. 
• E-mail account disabling warning.

2. Body text

2.1 Introduction: 

• Dear user of [recipient domain], 
• Dear user of [recipient domain] e-mail server gateway, 
• Dear user of e-mail server "[recipient domain]", 
• Hello user of [recipient domain] e-mail server, 
• Dear user of "[recipient domain]" mailing system, 
• Dear user, the management of [recipient domain] mailing system wants to let you know that,

2.2 Main body text

• Your e-mail account has been temporary disabled because of unauthorized access. 
• Our main mailing server will be temporary unavaible for next two days, 
  to continue receiving mail in these days you have to configure our free
  auto-forwarding service. 
• Your e-mail account will be disabled because of improper using in next
  three days, if you are still wishing to use it, please,resign your
  account information. 
• We warn you about some attacks on your e-mail account. Your computer may
  contain viruses, in order to keep your computer and e-mail account safe,
  please, follow the instructions. 
• Our antivirus software has detected a large ammount of viruses outgoing
  from your email account, you may use our free anti-virus tool to clean up
  your computer software. 
• Some of our clients complained about the spam (negative e-mail content)
  outgoing from your e-mail account. Probably, you have been infected by
  a proxy-relay trojan server. In order to keep your computer safe,
  follow the instructions.

2.3 Encouragement to open the attachment:

• For more information see the attached file. 
• Further details can be obtained from attached file. 
• Advanced details can be found in attached file. 
• For details see the attach. 
• For details see the attached file. 
• For further details see the attach. 
• Please, read the attach for further details. 
• Pay attention on attached file.

2.4 Ending

• The Management, 
• Sincerely, 
• Best wishes, 
• Yours, 
• Have a good day, 
• Cheers, 
• Kind regards,

The [recipient domain] team
http://www.[recipient domain]

The attachment can be a password-protected archive. If it is, there is about 90% chance that this will be a ZIP file, if not it is of RAR format. One of the following sentences will then be present in the mail:

3. Password string

• For security reasons attached file is password protected. The password is [image] 
• For security purposes the attached file is password protected. Password -- [image] 
• Note: Use password [image] to open archive. 
• Attached file is protected with the password for security reasons. Password is [image] 
• In order to read the attach you have to use the following password: [image] 
• Archive password: [image] 
• Password - [image]  
• Password: [image] 

4. Attachment name:

• Attach 
• Information 
• Details 
• Encrypted 
• first_part 
• Readme 
• Document 
• Info 
• TextDocument 
• Text 
• details 
• Gift 
• text_document 
• pub_document 
• MoreInfo 
• Message

File name inside the archives will be a random character string.

5. Attachment extension:

.RAR
.ZIP
.EXE
.PIF

The password image that is sent along with the mail may be of JPG or GIF extension if the virus finds the GDIPLUS.DLL on the infected machine, if not the image is of BMP type.