W32/Bagle.AI@mm

W32/Bagle.AI@mm	Destructivity: Spreading: Overall risk:

• Detected by virus detection files published: 8/9/2004	• Type: Worm
• Virus characteristics first published: 8/9/2004	• Spreading mechanism: Email
• Virus characteristics latest update: 12/3/2004	• Overall risk: Low
• Alias: Win32.Bagle.AG [Computer Associates], W32/Bagle.AJ@mm [F-secure], W32/Bagle.aq@MM [Network Associates], W32/Bagle.AM.worm [Panda], W32/Bagle-AQ [Sophos], W32.Beagle.AO@mm [Symantec], WORM_BAGLE.AC [Trend Micro]	• Payload:
• Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista

Virus type

Spreading
mechanism

Destructivity
and payload

Additional
descriptions

Detection
and removal

Email characteristics:

Subject: None
Body: New Price
Attachment: Variable

Bagle.AI is spread via a zip archive which contains two files, price.html and price.exe. When run, price.exe creates the following registry entries to ensure it is started with Windows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
win_upd2.exe = "%SYSTEM%\WINdirect.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
win_upd2.exe = "%SYSTEM%\WINdirect.exe"

Price.exe also drops a file named _dll.exe, which will attempt to download Bagle.AI to %WINDIR%\~.exe and launch it. _dll.exe will contact one of the following domains to download Bagle.AI:

http://polobeer.de/
http://r2626r.de/
http://kooltokyo.ru/
http://mmag.ru/
http://advm1.gm.fh-koeln.de/
http://evadia.ru/
http://megion.ru/
http://molinero-berlin.de/
http://dozenten.f1.fhtw-berlin.de/
http://shadkhan.ru/
http://sacred.ru/
http://kypexin.ru/
http://www.gantke-net.com/
http://www.mcschnaeppchen.com/
http://www.rollenspielzirkel.de/
http://134.102.228.45/
http://196.12.49.27/
http://aus-Zeit.com/
http://lottery.h11.ru/
http://herzog.cs.uni-magdeburg.de/
http://yaguark.h10.ru/
http://213.188.129.72/
http://thorpedo.us/
http://szm.sk/
http://lars-s.privat.t-online.de/
http://www.no-abi2003.de/
http://www.mdmedia.org/
http://abi-2004.org/
http://sovea.de/
http://www.porta.de/
http://matzlinger.com/
http://pocono.ru/
http://controltechniques.ru/
http://alexey.pioneers.com.ru/
http://momentum.ru/
http://omegat.ru/
http://www.perfectgirls.net/
http://porno-mania.net/
http://colleen.ai.net/
http://ourcj.com/
http://free.bestialityhost.com/
http://slavarik.ru/
http://burn2k.ipupdater.com/
http://carabi.ru/
http://spbbook.ru/
http://binn.ru/
http://sbuilder.ru/
http://protek.ru/
http://www.PlayGround.ru/
http://celine.artics.ru/
http://www.artics.ru/
http://www.laserbuild.ru/
http://www.lamatec.com/
http://www.sensi.com/
http://www.oldtownradio.com/
http://www.youbuynow.com/
http://64.62.172.118/
http://www.tayles.com/
http://dodgetheatre.com/
http://www.thepositivesideofsports.com/
http://www.bridesinrussia.com/
http://fairy.dataforce.net/
http://www.pakwerk.ru/
http://home.profootball.ru/
http://www.ankil.ru/
http://www.ddosers.net/
http://tarkosale.net/
http://www.boglen.com/
http://change.east.ru/
http://www.teatr-estrada.ru/
http://www.glass-master.ru/
http://www.zeiss.ru/
http://www.sposob.ru/
http://www.glavriba.ru/
http://alfinternational.ru/
http://euroviolence.com/
http://www.webronet.com/
http://www.virtmemb.com/
http://www.infognt.com/
http://www.vivamedia.ru/
http://www.zelnet.ru/
http://www.dsmedia.ru/
http://www.vendex.ru/
http://www.elit-line.ru/
http://pixel.co.il/
http://www.milm.ru/
http://dev.tikls.net/
http://www.met.pl/
http://www.strefa.pl/
http://kafka.punkt.pl/
http://www.rubikon.pl/
http://www.neostrada.pl/
http://werel1.web-gratis.net/
http://www.tuhart.net/
http://www.antykoncepcja.net/
http://www.dami.com.pl/
http://vip.pnet.pl/
http://www.webzdarma.cz/
http://emnesty.w.interia.pl/
http://niebo.net/
http://strony.wp.pl/
http://sec.polbox.pl/
http://www.phg.pl/
http://emnezz.e-mania.pl/
http://www.republika.pl/
http://www.silesianet.pl/
http://www.republika.pl/
http://tdi-router.opola.pl/
http://republika.pl/
http://infokom.pl/
http://silesianet.pl/
http://terramail.pl/
http://silesianet.pl/
http://www.iluminati.kicks-ass.net/
http://www.dilver.ru/
http://www.yarcity.ru/
http://www.scli.ru/
http://www.elemental.ru/
http://diablo.homelinux.com/
http://www.interrybflot.ru/
http://www.webpark.pl/
http://www.rafani.cz/
http://gutemine.wu-wien.ac.at/
http://przeglad-tygodnik.pl/
http://przeglad-tygodnik.pl/
http://pb195.slupsk.sdi.tpnet.pl/
http://www.ciachoo.pl/
http://cavalierland.5u.com/
http://www.nefkom.net/
http://rausis.latnet.lv/
http://www.hgr.de/
http://www.airnav.com/
http://www.astoria-stuttgart.de/
http://ultimate-best-hgh.0my.net/
http://wynnsjammer.proboards18.com/
http://www.jewishgen.org/
http://www.hack-gegen-rechts.com/
http://host.wallstreetcity.com/
http://quotes.barchart.com/
http://www.aannemers-nederland.nl/
http://www.sjgreatdeals.com/
http://financial.washingtonpost.com/
http://www.biratnagarmun.org.np/
http://hsr.zhp.org.pl/
http://traveldeals.sidestep.com/
http://www.hbz-nrw.de/
http://www.ifa-guide.co.uk/
http://www.inversorlatino.com/
http://www.zhp.gdynia.pl/
http://host.businessweek.com/
http://packages.debian.or.jp/
http://www.math.kobe-u.ac.jp/
http://www.k2kapital.com/
http://www.tanzen-in-sh.de/
http://www.wapf.com/
http://www.hgrstrailer.com/
http://www.forbes.com/
http://www.oshweb.com/
http://www.rumbgeo.ru/
http://www.dicto.ru/
http://www.busheron.ru/
http://www.omnicom.ru/
http://www.teleline.ru/
http://www.dynex.ru/
http://www.gamma.vyborg.ru/
http://nominal.kaliningrad.ru/
http://www.baltmatours.com/
http://www.interfoodtd.ru/
http://www.baltnet.ru/
http://www.neprifan.ru/
http://photo.gornet.ru/
http://www.aktor.ru/
http://catalog.zelnet.ru/
http://www.sdsauto.ru/
http://www.gradinter.ru/
http://www.avant.ru/
http://www.porsa.ru/
http://www.taom-clan.de/
http://www.perfectjewel.com/
http://www.vrack.net/
http://www.netradar.com/
http://www.pgipearls.com/
http://www.vconsole.net/
http://www.ccbootcamp.com/
http://host23.ipowerweb.com/
http://www.timelessimages.com/
http://www.peterstar.ru/
http://www.5100.ru/
http://www.gin.ru/
http://www.rweb.ru/
http://www.metacenter.ru/
http://www.biysk.ru/
http://www.free-time.ru/
http://www.rastt.ru/
http://www.chelny.ru/
http://www.chat4adult.com/
http://www.landofcash.net/
http://relay.great.ru/
http://www.kefaloniaresorts.com/
http://www.epski.gr/
http://www.myrtoscorp.com/
http://www.aphel.de/
http://www.intellect.lvc/
http://www.abcdesign.ru/

_dll.exe also terminates processes with these names:

FIREWALL.EXE
ATUPDATER.EXE
winxp.exe
sys_xp.exe
sysxp.exe
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE

When _dll.exe launches ~.exe (downloaded Bagle.AI), ~.exe will copy itself to the %SYSTEM% folder as:

windll.exe
windll.exeopen
windll.exeopenopen

The worm will also create the following registry value, which would normally ensure the worm is started with Windows, but due to a typo it is actually useless:

HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n\erthgdr = "%SYSTEM%\windll.exe"

Bagle.AI will delete the following entries from the registry in an attempt to remove various Netsky variants:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
My AV
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Zone Labs Client Ex
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
9XHtProtect
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Antivirus
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Special Firewall Service
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
service
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Tiny AV
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
ICQNet
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HtProtect
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
NetDv
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Jammer2nd
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
FirewallSvr
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
MsInfo
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
SysMonXP
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
EasyAV
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
PandaAVEngine
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Norton Antivirus AV
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
KasperskyAVEng
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
SkynetsRevenge
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
ICQ Net
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
My AV
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Zone Labs Client Ex
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
9XHtProtect
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Antivirus
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Special Firewall Service
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
service
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Tiny AV
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ICQNet
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HtProtect
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
NetDv
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Jammer2nd
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
FirewallSvr
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MsInfo
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SysMonXP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
EasyAV
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
PandaAVEngine
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Norton Antivirus AV
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
KasperskyAVEng
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SkynetsRevenge
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ICQ Net

The worm will also create the following mutexes in order to prevent Netsky from running:

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D.
DroppedSkyNet.
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_.
[SkyNet.cz]SystemsMutex.
AdmSkynetJklS003.
____--->>>>U<<<<--____.
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_.

Bagle.AI then harvests email addresses from files with the following extension:

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

Email addresses containing any of these strings are ignored:

@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

The worm then begins its mass mailing routine. Emails may have the following characteristics:

Subject

None

Body

New Price

Attachment

price_08.zip
price.zip
price2.zip
new_price.zip
price_new.zip
08_price.zip
new__price.zip
newprice.zip

Finally, Bagle.AI will also copy itself to folders containing shar in the pathname. Possible filenames include:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

# - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z

VIRUSfighter

Microsoft Certified Partner

W32/Bagle.AI@mm