W32/Bagle.AH@mm

W32/Bagle.AH@mm	Destructivity: Spreading: Overall risk:

• Detected by virus detection files published: 7/19/2004	• Type: Worm
• Virus characteristics first published: 7/19/2004	• Spreading mechanism: Email
• Virus characteristics latest update: 12/3/2004	• Overall risk: Low
• Alias: W32/Bagle.AI	• Payload: Backdoor
• Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista

Virus type

Spreading
mechanism

Destructivity
and payload

Additional
descriptions

Detection
and removal

Email characteristics:

Subject: Re:
Body: variable
Attachment: variable

When Bagle.AH executes it copies itself to %SYSTEM% as:

winxp.exe
winxp.exeopen
winxp.exeopenopen
winxp.exeopenopenopen
winxp.exeopenopenopenopen

It then creates the following registry entry to ensure it is started with Windows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\key = "C:\WINDOWS\SYSTEM\winxp.exe"

Bagle.AH will then delete the following entries from the registry in an attempt to remove Netsky variants:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\My AV
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client Ex
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\9XHtProtect
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Special Firewall Service
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\service
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Tiny AV
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ICQNet
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\HtProtect
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NetDv
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Jammer2nd
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\FirewallSvr
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MsInfo
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysMonXP
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\EasyAV
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\PandaAVEngine
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AV
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAVEng
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SkynetsRevenge
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ICQ Net
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\My AV
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client Ex
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\9XHtProtect
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Special Firewall Service
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\service
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tiny AV
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ICQNet
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HtProtect
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetDv
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Jammer2nd
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FirewallSvr
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MsInfo
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SysMonXP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\EasyAV
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PandaAVEngine
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AV
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAVEng
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SkynetsRevenge
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ICQ Net

The worm will also create the following mutexes in order to prevent Netsky from running:

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D.
DroppedSkyNet.
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_.
[SkyNet.cz]SystemsMutex.
AdmSkynetJklS003.
____--->>>>U<<<<--____.
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_.

Bagle.AH then harvests email addresses from files with the following extension:

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

Email addresses containing any of these strings are ignored:

@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

The worm then begins its mass mailing routine. Mails may have the following characteristics:

Subject

Body

>foto3 and MP3
>fotogalary and Music
>fotoinfo
>Lovely animals
>Animals
>Predators
>The snake
>Screen and Music

(If the attachment is a .zip file then a password may be included in the mail)

Password: <random number>
Pass- <random number>
Key- <random number>

Attachment

MP3
Music_MP3
New_MP3_Player
Cool_MP3
Garry
Cat
Dog
Fish

The attachment extension can be any of the following:

.cpl
.com
.zip (password protected)
.exe
.scr

Finally, Bagle.AH will also copy itself to folders containing shar in the name. Possible filenames include:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

# - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z

VIRUSfighter

Microsoft Certified Partner

W32/Bagle.AH@mm