Win32/Bagle [Threat Name] go to Threat

Win32/Bagle.GM [Threat Variant Name]

Category worm
Short description

Win32/Bagle.GM is a worm that spreads via e-mail.

Installation

When executed, the worm copies itself into the C:\Documents and Settings\username\Application Data\hidn folder using the following name:

  • hidn.exe

The following file is dropped in the same folder:

  • m_hook.sys

This file is responsible for hiding the worm from the user.


It uses techniques common for rootkits. In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "drv_st_key" = "C:\­Documents and Settings\­username\­Application Data\­hidn\­hidn.exe"

The entry is repeatedly set every 5 minutes.

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • .adb
  • .asp
  • .cfg
  • .cgi
  • .dbx
  • .dhtm
  • .eml
  • .htm
  • .jsp
  • .mbx
  • .mdx
  • .mht
  • .mmf
  • .msg
  • .nch
  • .ods
  • .oft
  • .php
  • .pl
  • .sht
  • .shtm
  • .stm
  • .tbb
  • .txt
  • .uin
  • .wab
  • .wsh
  • .xls
  • .xml

Addresses containing the following strings are avoided:

  • ..
  • .@
  • @.
  • @avp.
  • @foo
  • @iana
  • @messagelab
  • abuse
  • admin
  • anyone@
  • bsd
  • bugs@
  • cafee
  • certific
  • contract@
  • f-secur
  • feste
  • free-av
  • gold-certs@
  • google
  • help@
  • icrosoft
  • info@
  • kasp
  • linux
  • listserv
  • local
  • news
  • nobody@
  • noone@
  • noreply
  • ntivi
  • panda
  • pgp
  • postmaster@
  • rating@
  • root@
  • samples
  • sopho
  • spam
  • support
  • unix
  • update
  • winrar
  • winzi

Subject of the message is one of the following:

  • Ales
  • Alice
  • Alyce
  • Andrew
  • Androw
  • Androwe
  • Ann
  • Anna
  • Anne
  • Annes
  • Anthonie
  • Anthony
  • Anthonye
  • Avice
  • Avis
  • Bennet
  • Bennett
  • Constance
  • Cybil
  • Daniel
  • Danyell
  • Dorithie
  • Dorothee
  • Dorothy
  • Edmond
  • Edmonde
  • Edmund
  • Edward
  • Edwarde
  • Elizabeth
  • Elizabethe
  • Ellen
  • Ellyn
  • Emanual
  • Emanuel
  • Emanuell
  • Ester
  • Frances
  • Francis
  • Fraunces
  • Gabriell
  • Geoffraie
  • George
  • Grace
  • Harry
  • Harrye
  • Henrie
  • Henry
  • Henrye
  • Hughe
  • Humphrey
  • Humphrie
  • Christean
  • Christian
  • Isabel
  • Isabell
  • James
  • Jane
  • Jeames
  • Jeffrey
  • Jeffrye
  • Joane
  • Johen
  • John
  • Josias
  • Judeth
  • Judith
  • Judithe
  • Katherine
  • Katheryne
  • Leonard
  • Leonarde
  • Margaret
  • Margarett
  • Margerie
  • Margerye
  • Margret
  • Margrett
  • Marie
  • Martha
  • Mary
  • Marye
  • Michael
  • Mychaell
  • Nathaniel
  • Nathaniell
  • Nathanyell
  • Nicholas
  • Nicholaus
  • Nycholas
  • Peter
  • Ralph
  • Rebecka
  • Richard
  • Richarde
  • Robert
  • Roberte
  • Roger
  • Rose
  • Rycharde
  • Samuell
  • Sara
  • Sidney
  • Sindony
  • Stephen
  • Susan
  • Susanna
  • Suzanna
  • Sybell
  • Sybyll
  • Syndony
  • Thomas
  • Valentyne
  • William
  • Winifred
  • Wynefrede
  • Wynefreed
  • Wynnefreede

The same list is used to pick the name of the attachment.


The attachment is an archive, containing an executable of the worm. It is password protected.


The password is on a picture attached.


Body of the message may start with one of the following:

  • To the beloved
  • I love you

It continues with one of the following:

  • The password is ...
  • Password -- ...
  • Use password ... to open archive.
  • Password is ...
  • Zip password: ...
  • archive password: ...
  • Password - ...
  • Password: ...
Other information

The following programs are terminated:

  • Aavmker4
  • ABVPN2K
  • ADBLOCK.DLL
  • ADFirewall
  • AFWMCL
  • Ahnlab task Scheduler
  • alerter
  • AlertManger
  • AntiVir Service
  • AntiyFirewall
  • ARP.DLL
  • aswMon2
  • aswRdr
  • aswTdi
  • aswUpdSv
  • Ati HotKey Poller
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web Scanner
  • AVEService
  • AVExch32Service
  • AvFlt
  • Avg7Alrt
  • Avg7Core
  • Avg7RsW
  • Avg7RsXP
  • Avg7UpdSvc
  • AvgCore
  • AvgFsh
  • AVGFwSrv
  • AvgFwSvr
  • AvgServ
  • AvgTdi
  • AVIRAMailService
  • AVIRAService
  • avpcc
  • AVUPDService
  • AVWUpSrv
  • AvxIni
  • awhost32
  • backweb client-4476822
  • backweb client - 4476822
  • BackWeb Client - 7681197
  • Bdfndisf
  • bdftdif
  • bdss
  • BlackICE
  • BsFileSpy
  • BsFirewall
  • BsMailProxy
  • CAISafe
  • ccEvtMgr
  • ccPwdSvc
  • ccSetMgr
  • ccSetMgr.exe
  • CONTENT.DLL
  • DefWatch
  • DNSCACHE.DLL
  • drwebnet
  • dvpapi
  • dvpinit
  • ewido security suite control
  • ewido security suite driver
  • ewido security suite guard
  • F-Prot Antivirus Update Monitor
  • F-Secure Gatekeeper Handler Starter
  • firewall
  • fsbwsys
  • FSDFWD
  • FSFW
  • FSMA
  • FTPFILT.DLL
  • FwcAgent
  • fwdrv
  • Guard NT
  • HSnSFW
  • HSnSPro
  • HTMLFILT.DLL
  • HTTPFILT.DLL
  • IMAPFILT.DLL
  • InoRPC
  • InoRT
  • InoTask
  • Ip6Fw
  • Ip6FwHlp
  • KAVMonitorService
  • KAVSvc
  • KLBLMain
  • KPfwSvc
  • KWatch3
  • KWatchSvc
  • MAILFILT.DLL
  • McAfee Firewall
  • McAfeeFramework
  • McShield
  • McTaskManager
  • mcupdmgr.exe
  • MCVSRte
  • Microsoft NetWork FireWall Services
  • MonSvcNT
  • MpfService
  • navapsvc
  • NDIS_RD
  • Ndisuio
  • Network Associates Log Service
  • nipsvc
  • NISSERV
  • NISUM
  • NNTPFILT.DLL
  • NOD32ControlCenter
  • NOD32krn
  • NOD32Service
  • Norman NJeeves
  • Norman Type-R
  • Norman ZANDA
  • Norton AntiVirus Server
  • NPDriver
  • NPFMntor
  • NProtectService
  • NSCTOP
  • nvcoas
  • NVCScheduler
  • nwclntc
  • nwclntd
  • nwclnte
  • nwclntf
  • nwclntg
  • nwclnth
  • NWService
  • OfcPfwSvc
  • Outbreak Manager
  • Outpost Firewall
  • OutpostFirewall
  • PASSRV
  • PAVAGENTE
  • PavAtScheduler
  • PAVDRV
  • PAVFIRES
  • PAVFNSVR
  • Pavkre
  • PavProc
  • PavProt
  • PavPrSrv
  • PavReport
  • PAVSRV
  • PCC_PFW
  • PCCPFW
  • PersFW
  • Personal Firewall
  • POP3FILT.DLL
  • PREVSRV
  • PROTECT.DLL
  • PSIMSVC
  • qhwscsvc
  • Quick Heal Online Protection
  • ravmon8
  • RfwService
  • SAVFMSE
  • SAVScan
  • SBService
  • SECRET.DLL
  • SharedAccess
  • schscnt
  • SmcService
  • SNDSrvc
  • SPBBCSvc
  • SpiderNT
  • SweepNet
  • SWEEPSRV.SYS
  • Symantec AntiVirus Client
  • Symantec Core LC
  • T_H_S_M
  • The_Hacker_Antivirus
  • tm_cfw
  • Tmntsrv
  • TmPfw
  • tmproxy
  • tmtdi
  • V3MonNT
  • V3MonSvc
  • Vba32ECM
  • Vba32ifs
  • Vba32Ldr
  • Vba32PP3
  • VBCompManService
  • VexiraAntivirus
  • VFILT
  • VisNetic AntiVirus Plug-in
  • vrfwsvc
  • vsmon
  • VSSERV
  • WinAntivirus
  • WinRoute
  • wscsvc
  • wuauserv
  • xcomm

The worm contains a list of 99 URLs.


Every 2 hours it tries to download a file from the addresses.


The file is then saved as %system%\re_file.exe and executed.


The worm creates the following file:

  • C:\­error.gif

It contains the following text:

  • Error

The worm opens the file using the default image viewer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.