Win32.Bagle.GM@mm

Diffusione:	low
Danno:	low
Dimensioni:	40,561 bytes
Scoperto:	2006 Dec 23

SINTOMI:

When it is run for the first time, it dropps a file named error.txt in C:\, and opens it with Nodepad. It will look like this:

DESCRIZIONE TECNICA:

The worm makes itself two copies:

%APPDATA%\hidn\hldrrr.exe
%APPDATA%\hidn\hidn2.exe

In older versions, Bagle used the same name, but it used a rootkit to hide the "hidn" folder, the two files and associated processes and registry entries. It is not the case in this version.

It creates the following registry entry to ensure it will be run at startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drv_st_key = "%APPDATA%\hidn\hidn2.exe"

The worm will try to download some lists with email addresses, from the following web sites:

http://accesible.cl/1/[REMOVED].php
http://amdlady.com/1/[REMOVED].php
http://avataresgratis.com/1/[REMOVED].php
http://beyoglu.com.tr/1/[REMOVED].php
http://brandshock.com/1/[REMOVED].php
http://c-d-c.com.au/1/[REMOVED].php
http://camaramafra.sc.gov.br/1/[REMOVED].php
http://camposequipamentos.com.br/1/[REMOVED].php
http://cbradio.sos.pl/1/[REMOVED].php
http://coparefrescos.stantonstreetgroup.com/1/[REMOVED].php
http://creainspire.com/1/[REMOVED].php
http://desenjoi.com.br/1/[REMOVED].php
http://hotelesalba.com/1/[REMOVED].php
http://inca.dnetsolution.net/1/[REMOVED].php
http://veranmaisala.com/1/[REMOVED].php
http://wklight.nazwa.pl/1/[REMOVED].php
http://www.auraura.com/1/[REMOVED].php
http://www.buydigital.co.kr/1/[REMOVED].php
http://www.diem.cl/1/[REMOVED].php
http://www.discotecapuzzle.com/1/[REMOVED].php
http://www.inprofile.gr/1/[REMOVED].php
http://www.klanpl.com/1/[REMOVED].php
http://www.titanmotors.com/images/1/[REMOVED].php
http://yongsan24.co.kr/1/[REMOVED].php

It will collect them in a file named "elist.xpt", found in %WINDOWS% directory.

To this list will be added all email addresses found on the system. The worm search for them in all files having the following extensions:

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

It will not gather emails matching the following patterns:

@.
.@
..
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

The worm uses the SMTP servers defined in Outlook. If there are no such servers configured on the system, it uses some predefined SMTP servers.

An email sent by this version of Bagle will look like this:

Subject
A combination of one of the following and the current date:

"pric "
"price_ "
"price_"
"price-"
"price "

For example: "price_29-Dec-2006"

From
Searches for Outlook profiles in HKCU\Software\Microsoft\Internet Account Manager\Accounts

Body
One of the following:

Message in attach.
Message is zipped.
Msg attached.

Attachment
A combination of one of the following, and the current date, with ".zip" at the end:

price
new_price
latest_price

For example: "new_price29-Dec-2006.zip"

It will also download a file from one of these addresses, and will rename it to "re_file.exe":

http://5050clothing.com/[REMOVED].gif
http://axelero.hu/[REMOVED].gif
http://calamarco.com/[REMOVED].gif
http://ceramax.co.kr/[REMOVED].gif
http://charlesspaans.com/[REMOVED].gif
http://chatsk.wz.cz/[REMOVED].gif
http://checkalertusa.com/[REMOVED].gif
http://cibernegocios.com.ar/[REMOVED].gif
http://cof666.shockonline.net/[REMOVED].gif
http://comaxtechnologies.net/[REMOVED].gif
http://concellodesandias.com/[REMOVED].gif
http://dev.jintek.com/[REMOVED].gif
http://dogoodesign.ch/[REMOVED].gif
http://donchef.com/[REMOVED].gif
http://erich-kaestner-schule-donaueschingen.de/[REMOVED].gif
http://foxvcoin.com/[REMOVED].gif
http://grupdogus.de/[REMOVED].gif
http://hotchillishop.de/[REMOVED].gif
http://ilikesimple.com/[REMOVED].gif
http://innovation.ojom.net/[REMOVED].gif
http://kisalfold.com/[REMOVED].gif
http://knickimbit.de/[REMOVED].gif
http://kremz.ru/[REMOVED].gif
http://massgroup.de/[REMOVED].gif
http://poliklinika-vajnorska.sk/[REMOVED].gif
http://prime.gushi.org/[REMOVED].gif
http://svatba.viskot.cz/[REMOVED].gif
http://systemforex.de/[REMOVED].gif
http://uwua132.org/[REMOVED].gif
http://v-v-kopretiny.ic.cz/[REMOVED].gif
http://vanvakfi.com/[REMOVED].gif
http://vega-sps.com/[REMOVED].gif
http://vidus.ru/[REMOVED].gif
http://viralstrategies.com/[REMOVED].gif
http://Vivamodelhobby.com/[REMOVED].gif
http://vkinfotech.com/[REMOVED].gif
http://vproinc.com/[REMOVED].gif
http://vytukas.com/[REMOVED].gif
http://waisenhaus-kenya.ch/[REMOVED].gif
http://watsrisuphan.org/[REMOVED].gif
http://wbecanada.com/[REMOVED].gif
http://web-comp.hu/[REMOVED].gif
http://webfull.com/[REMOVED].gif
http://welvo.com/[REMOVED].gif
http://wvpilots.org/[REMOVED].gif
http://www.ag.ohio-state.edu/[REMOVED].gif
http://www.chapisteriadaniel.com/[REMOVED].gif
http://www.chittychat.com/[REMOVED].gif
http://www.cort.ru/[REMOVED].gif
http://www.crfj.com/[REMOVED].gif
http://www.kersten.de/[REMOVED].gif
http://www.kljbwadersloh.de/[REMOVED].gif
http://www.voov.de/[REMOVED].gif
http://www.walsch.de/[REMOVED].gif
http://www.wchat.cz/[REMOVED].gif
http://www.wg-aufbau-bautzen.de/[REMOVED].gif
http://www.wzhuate.com/[REMOVED].gif
http://xotravel.ru/[REMOVED].gif
http://yeniguntugla.com/[REMOVED].gif
http://zebrachina.net/[REMOVED].gif
http://zsnabreznaknm.sk/[REMOVED].gif

"re_file.exe" will then be executed.

Other payloads:

it disables Windows Update Service (wuauserv)
it deletes "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot"

ISTRUZIONI DI RIMOZIONE:

Please let BitDefender disinfect your files.

ANALIZZATO DA:

Raul Tosa, virus researcher

Archivi Intelligence Report

Links rapidi » Affiliazione » Nuovo GameSafe » Rinnovo Licenza » Supporto Clienti gratuito » Free Online Scanner