Win32.Bagle.AG

Discussion in 'NZ Computing' started by Patrick Dunford, Aug 10, 2004.

  1. http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39846

    Category: Win32

    Also known as: Win32/Bagle.AG.Worm, W32/Bagle.AJ@mm (F-Secure), I-
    Worm.Bagle.al (Kaspersky), W32/Bagle.aq@MM (McAfee),
    Win32/WDirect.DLL.Worm, Win32/WDirect.Trojan

    Threat assessment: High


    Description
    Win32.Bagle.AG is a worm that spreads via e-mail. The worm has been
    distributed as a 19,460-byte, PEX-compressed Win32 executable.
    Method of Infection

    Bagle.AG consists of several components; the worm executable, an HTML
    file, an EXE dropper and a .DLL that contains a routine to download the
    worm.

    The EXE dropper is 14,848 bytes in size.

    The DLL that will be injected into Explorer.exe process is 11,776 bytes.
    Subsequent activities by the malware will appear to have originated from
    Explorer.exe.

    The dropper downloads the worm from a list of 204 different URLs, all
    pointing to a file named 2.JPG. The file is downloaded to the %Windows%
    directory as "~.exe" and executed. The downloaded file is a 19,460-byte
    PEX-compressed Win32 executable.

    The HTML contains code to activate PRICE.EXE.

    Once the EXE dropper is activated, it copies itself to the %System%
    directory as "WINdirect.exe", and drops the DLL component as "_DLL.EXE".
    It then creates a remote thread in Explorer.exe process to execute the
    DLL component.

    The following registry values are created to run the EXE dropper when
    Windows starts:

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe = "%
    System%\WINdirect.exe"
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe = "%
    System%\WINdirect.exe"

    When executed, the worm copies itself to:

    %System%\windll.exe

    and modifies the registry to ensure that this copy is executed at each
    Windows start:

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\erthgdr = "%System%
    \windll.exe"

    There may be two more files created by the worm in the process of
    generating e-mail attachments:

    %System%\windll.exeopen
    %System%\windll.exeopenopen

    Note: '%System%' and '%Windows%' are variable locations. The trojan
    determines the location of these folders by querying the operating
    system. The default installation location for the System directory for
    Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows
    \System; and for XP is C:\Windows\System32.The default installation
    location for the Windows directory for Windows 2000 and NT is C:\Winnt;
    for 95,98 and ME is C:\Windows; and for XP is C:\Windows.

    Return to top

    Method of Distribution
    Via E-Mail

    The worm e-mail has an empty Subject line, with a single word in the
    message body: "price". The attachment is a zip file that contains two
    files, "price.html" and "price.exe". The file "price.exe" resides in a
    subfolder "price" within the zip file.

    The attachment name is chosen from the following list:

    price
    price2
    price_new
    price_08
    08_price
    newprice
    new_price
    new__price

    Instead of sending the worm itself in the e-mail attachment, the
    attachment contains only the EXE dropper. The dropper in turn downloads
    the worm from a list of 204 URLs to complete the infection cycle.

    [...]

    --
    "Marriage is a lifelong covenant commitment between
    a man and a woman.

    This foundation provides the best possible
    environment to raise our children."

    See http://www.maxim.org.nz/civilunions.html
    Patrick Dunford, Aug 10, 2004
    #1
    1. Advertising

  2. "Patrick Dunford" <> wrote in message
    news:...
    > http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39846
    >
    > Category: Win32
    >
    > Also known as: Win32/Bagle.AG.Worm, W32/Bagle.AJ@mm (F-Secure), I-
    > Worm.Bagle.al (Kaspersky), W32/Bagle.aq@MM (McAfee),
    > Win32/WDirect.DLL.Worm, Win32/WDirect.Trojan
    >
    > Threat assessment: High
    >
    >
    > Description
    > Win32.Bagle.AG is a worm that spreads via e-mail. The worm has been
    > distributed as a 19,460-byte, PEX-compressed Win32 executable.
    > Method of Infection
    >
    > Bagle.AG consists of several components; the worm executable, an HTML
    > file, an EXE dropper and a .DLL that contains a routine to download the
    > worm.
    >


    <snip>

    for those who have installed WinXP SP2 check out the "Tools / Manage
    Add-ons" option in IE. This should show worms and viruses etc that install
    themselves as DLL's (and allow you to disable them). More info at:

    http://www.microsoft.com/windowsxp/using/web/sp2_addonmanager.mspx

    Brett Roberts
    Microsoft NZ
    Brett Roberts, Aug 10, 2004
    #2
    1. Advertising

  3. Patrick Dunford

    Dogg Guest

    On Tue, 10 Aug 2004 13:56:19 +1200, "Brett Roberts"
    <> wrote:

    <snip>
    >
    >for those who have installed WinXP SP2 check out the "Tools / Manage
    >Add-ons" option in IE. This should show worms and viruses etc that install
    >themselves as DLL's (and allow you to disable them). More info at:
    >
    >http://www.microsoft.com/windowsxp/using/web/sp2_addonmanager.mspx
    >
    >Brett Roberts
    >Microsoft NZ
    >


    Is the full version out?
    Dogg, Aug 10, 2004
    #3
  4. Patrick Dunford

    Dogg Guest

    On Tue, 10 Aug 2004 14:42:02 +1200, Dogg <>
    wrote:

    >On Tue, 10 Aug 2004 13:56:19 +1200, "Brett Roberts"
    ><> wrote:
    >
    ><snip>
    >>
    >>for those who have installed WinXP SP2 check out the "Tools / Manage
    >>Add-ons" option in IE. This should show worms and viruses etc that install
    >>themselves as DLL's (and allow you to disable them). More info at:
    >>
    >>http://www.microsoft.com/windowsxp/using/web/sp2_addonmanager.mspx
    >>
    >>Brett Roberts
    >>Microsoft NZ
    >>

    >
    >Is the full version out?


    Disregard :)
    Dogg, Aug 10, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paula

    Bagle 0

    Paula, Apr 10, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    1,718
    Paula
    Apr 12, 2004
  2. Jay Calvert

    Bagle Times Three

    Jay Calvert, Oct 29, 2004, in forum: Computer Security
    Replies:
    1
    Views:
    428
    *robbb
    Oct 30, 2004
  3. NonDisputandum.com

    Glieder (aka Bagle, version eightysomething)

    NonDisputandum.com, Jun 2, 2005, in forum: Computer Security
    Replies:
    0
    Views:
    401
    NonDisputandum.com
    Jun 2, 2005
  4. D@Z
    Replies:
    5
    Views:
    738
    Liza Smorgaborgsson
    Jan 30, 2006
  5. jamesa01
    Replies:
    2
    Views:
    459
    Steve
    Feb 27, 2006
Loading...

Share This Page