W32/Bagle.AQ@mm

Download VIRUSfighter NOW
W32/Bagle.AQ@mm Destructivity: Spreading: Overall risk:
  
• Detected by virus detection files published: 10/29/2004 • Type: Worm
• Virus characteristics first published: 10/29/2004 • Spreading mechanism: Email, Other
• Virus characteristics latest update: 11/28/2005 • Overall risk: Medium
• Alias: WORM_BAGLE.AT, W32/Bagle.AT@mm, I-Worm.Bagle.at • Payload: Opens backdoor
• Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista  

Virus type Spreading
mechanism 		Destructivity
and payload 		Additional
descriptions 		Detection
and removal
Email characteristics:
  • Subject: Varies slightly; typical subjects are : "Re: Hello", "Re:Thank you!", "Re Hi"
  • Body:
  • Attachment: First part of name either PRICE or JOKE; extension either SCR, COM, EXE or CPL.

The worm installs itself in the Windows folder using the name WINGO.EXE, and modifies a registry key to point to itself so that it start from bootup.

After this, it harvests email addresses from local resources (it has a long list of file types to search) which it uses for the email spreading routine. At the same time, it looks for folders containing the word "share" and makes multiple copies of itself there using the file names below:

Microsoft Office 2003 Crack, Working!.exe.
Porno, sex, oral, anal cool, awesome!!.exe.
Porno Screensaver.scr.
Serials.txt.exe.
KAV 5.0
Kaspersky Antivirus 5.0.
Porno pics arhive, xxx.exe.
Windows Sourcecode update.doc.exe.
Ahead Nero 7.exe.
Opera 8 New!.exe.
XXX hardcore images.exe.
WinAmp 6 New!.exe.
Adobe Photoshop 9 full.exe.
Matrix 3 Revolution English Subtitles.exe.
ACDSee 9.exe.

Changes to registry:

The worm deletes a lot of keys belonging to other worms and AV products:

"My AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"My AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"Zone Labs Client Ex" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"Zone Labs Client Ex" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"9XHtProtect" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"9XHtProtect" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"Antivirus" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"Antivirus" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"Special Firewall Service" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"Special Firewall Service" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"service" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"service" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"Tiny AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"Tiny AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"ICQNet" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"ICQNet" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"HtProtect" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"HtProtect" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"NetDy" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"NetDy" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"Jammer2nd" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"Jammer2nd" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"FirewallSvr" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"FirewallSvr" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"MsInfo" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"MsInfo" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"SysMonXP" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"SysMonXP" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"EasyAV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"EasyAV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"PandaAVEngine" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"PandaAVEngine" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"Norton Antivirus AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"Norton Antivirus AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"KasperskyAVEng" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"KasperskyAVEng" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"SkynetsRevenge" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"SkynetsRevenge" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"ICQ Net" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"ICQ Net" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

And it adds this key to start from bootup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run = "wingo"="<WINDIR>\wingo.exe"

Process information:

The worm creates the folowing mutexes to stop being loaded twice, and stop other worms from running:

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D.
DroppedSkyNet.
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_.
[SkyNet.cz]SystemsMutex.
AdmSkynetJklS003.
____--->>>>U<<<<--____.
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_.
# - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z
To protect and serve, VirusFighter