Worm:Win32/Bagle.ZE@mm is a mass-mailing worm that attempts to download and run arbitrary files from remote Web sites. Worm:Win32/Bagle.ZE@mm collects e-mail addresses from the local drive and by checking remote Web sites referenced in the worm's code. The worm attempts to terminate the Windows Automatic Update service and modifies the registry in an attempt to disable booting into Safe Mode.
Worm:Win32/Bagle.ZE@mm contains several routines that run against the local computer, including:
-
displaying a text file "error message" using Notepad
-
dropping copies of itself
-
gathering e-mail addresses
-
spreading via e-mail
-
downloading additional malicious programs
-
terminating Windows Automatic Update service, and prevent booting into Safe Mode
Installation
When Worm:Win32/Bagle.ZE@mm is run, it first creates a folder named "hidn" in the %AppData% folder. Next it drops copies of itself into that folder:
Note: %AppData% specifies the location of the currently logged in user's Application Data folder.
This worm creates a .ZIP archive copy of itself as C:\temp.zip. Next, Worm:Win32/Bagle.ZE@mm makes the following registry modifications to serve as a marker for previously infected systems, and to load the worm at Windows startup:
-
Adds value: "FirstRun"
With data: "1"
To subkey: HKEY_CURRENT_USER\Software\
-
Adds value: "drv_st_key"
With data: %AppData%\hidn\hidn2.exe
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
When this worm is first executed, it displays a fake "error message" using Notepad, which acts as a distraction while it performs its other routines. Bagle.ZE creates ERROR.TXT on the root of drive C:\. This text file contains a single line: "Text decoding error." It displays the contents of this file if a system check indicates this is the initial run of the worm:
Spreads Via…
E-mail
Worm:Win32/Bagle.ZE@mm spreads via e-mail. Initially, the worm gathers e-mail addresses to send itself to from the local computer. This is accomplished by scanning for strings in files of certain file extensions - strings resembling e-mail address formats - while yet avoiding certain text strings. The worm targets files with these extensions when searching for addresses:
|
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch |
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml |
The worm avoids addresses that contain the following text strings:
|
@avp
@messagelab
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
feste
foo
free-av
f-secur |
gold-certs@
google
help@
iana
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply |
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip |
Additionally, the worm may download e-mail addresses from one of several hard-coded remote locations. The retrieved e-mail addresses are saved to %WinDir%\elist.xpt, and may be used for target or recipient addresses by the worm.
Worm:Win32/Bagle.ZE@mm spreads attached to e-mail messages with variable characteristics.
Message Body
It may use any of the following strings for the message body (note that the message body may also be empty):
Message in attach.
Msg attached.
Message is zipped.
Subject and Attachment
It may use any of the following strings for the Subject or Attachment name:
pric <Date>
price_ <Date>
price_<Date>
price-<Date>
price <Date>
new_price<Date>
latest_price<Date>
Where <Date> is the current date in the following format DD-MMM-YYYY. The worm saves a copy of the attachment zip file as C:\temp.zip.
Payload
Modifies System Settings
Worm:Win32/Bagle.ZE@mm deletes a registry key that essentially disables the ability to start Windows in Safe Mode - the worm deletes the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
This worm stops Windows Automatic Update by setting a specific registry value:
Modifies key: wuauserv
With value: 4
Within subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Note: Default value for this entry is 2.
Downloads and Executes Arbitrary Files
Worm:Win32/Bagle.ZE@mm attempts to connect to multiple remote Web sites in order to retrieve a file named "123.gif". This file may be a malicious executable, and when downloaded, the file may be saved to "<system>\re_file.exe", then executed. In some cases, the file is not malicious but is instead actually an image file:
