Worm:Win32/Bagz.D@mm is a worm that sends e-mails to gathered e-mail addresses, with an attached copy of itself. Win32/Bagz may also block access to certain Web sites and delete services.
Installation
When Win32/Bagz.D@mm is first run, it may drop the following files:
<system folder>\rpc32.exe
<system folder>\run32.exe
<system folder>\sysboot.doc .exe
Next, the worm executes one of the dropped files with a parameter, as in this example shell instruction:
<system folder>\rpc32.exe -install
When the component 'rpc32.exe' executes, it creates a service with the following attributes:
Service Name: "RPC32"
Display Name: "Network Explorer"
Description: "Starts and configures accessibility tools from one window"
Image Path: "<system folder>\rpc32.exe"
Spreads Via…
E-mail Attachment
Win32/Bagz.D@mm may send a copy of itself as an e-mail attachment to addresses found on the infected computer. This worm will spoof the sent from field, and the subject line and message body vary. The attachment may have a .zip extension or a double extension that is partly hidden or out of view, to make it appear that opening the attachment is safe. Below are expected e-mail characteristics and properties of a message sent by this worm.
From: <spoofed>
To: <e-mail address>
An e-mail address gathered from searching within files having one of the following file extensions:
.tbb, .tbi, .dbx, .htm, .txt
The worm will filter and avoid collecting addresses containing any of the following substrings:
@avp
@foo
@iana
@messagelab
@microsoft
abuse
admin
administrator@
all@
anyone@
bsd
bugs@
cafee
certific
certs@
contact@
contract@
f-secur
feste
free-av
gold-
gold-certs@
google
help@
hostmaster@
icrosoft
info@
kasp
linux
listserv
local
netadmin@
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
support@
unix
update
webmaster@
winrar
winzip
Subject: <one of the following>
ASAP
please responce
Read this
urgent
toxic
contract
Money
office
Have a nice day
Hello
Russian's
Amirecans
attachments
attach
waiting
best regards
Administrator
Warning
text
Vasia
re: Andrey
re: please
re: order
Allert!
Att
Message body: <one of the following>
Hi
Did you get the previous document I attached for you?
I resent it in this email just in case, because I
really need you to check it out asap.
Best Regards |
Hi
I made a mistake and forgot to click attach
on the previous email I sent you. Please give me
your opinion on this opportunity when you get a chance.
Best Regards |
Hi
I was supposed to send you this document yesterday.
Sorry for the delay, please forward this to your family if possible.
It contains important info for both of you. |
Hi
Sorry, I forgot to send an important
document to you in that last email. I had an important phone call.
Please checkout attached doc file when you have a moment.
Best Regards |
Hi
I was in a rush and I forgot to attach an important
document. Please see attached doc file.
Best Regards, |
Sorry to bother you, but I am having a problem receiving your emails.
I am responding to your last email in the attached file.
Please get back to me if there is any problem reading the attachment. |
I am responding to your last email in the attached file.
I had a delivery problem with your inbox, so maybe you'll receive this
now. |
Can you please check out the email I have attached?
For some reason, I received only part of your last several emails.
I want to make sure that there are no problems with either of our
accounts. |
This email is being sent as attachment because
it was previously blocked by your email filters.
Please view the attachment and respond.
Thanks |
I resent this email as attachment because
it was previously blocked by your email filters.
Please read the attachment and respond.
Thanks |
I apologize, but I need you to verify
that I have the correct contact info for you.
My system crashed last weekend and
I lost most of my friends and work contacts.
Please check the attached (.pdf) and
please let me know if your info is current. |
My last email to you was returned.
The reason is that I am not currently
added to your "allowed" contact list.
Please add my updated contact info
provided in the attached (.pdf) file
so I can send you emails in the future.
Sincerely |
I have updated my email address
See the (.pdf) file attached and
please respond if you have any questions. |
We have made recent updates to our database.
Please verify your mailing address on file is correct.
We have attached a (.pdf) sheet for you to use for your response. |
Hello
Our contact information has changed.
See the attached (.pdf) sheet for details.
Sincerely, |
***URGENT: SERVICE SHUTDOWN NOTICE***
Due to your failure to comply with our email
Rules and Regulations, your email account has been
temporarily suspended for 24 hours unless we are contacted regarding
this situation.
You must read the attached document for further
instructions. Failure to comply will result in termination of your
account.
Regards,
Net Operator
***URGENT: SERVICE SHUTDOWN NOTICE*** |
***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***
You are currently unable to send emails.
This may be a billing issue.
Please call the billing center.
The # for the billing office is located in the attached
contact list for your convenience.
***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!*** |
***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
Hello,
The previous email you sent has been recognized as spam.
This means your email was not delivered to your friend or client.
You must open the attached file to receive more information.
***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM*** |
Hello,
What version of windows you are using?
This last document I received from you came out weird.
Please see the attached word file and resend the file to me.
Many thanks,
User |
Hello,
My PC crashed while I was sending that last email.
I have re-attached the document of yours that I discovered.
Please read attached document and respond ASAP.
Sincerely,
User |
Hello,
Your email was sent in an INVALID format.
To verify this email was sent from you,
simply open the attached email (.eml) file
and click yes in the sender options box.
Thank You,
User |
Hello,
Your email was received.
YOUR REPLY IS URGENT!
Please view the attached text file for instructions.
Regards,
User |
Hello,
I was in a hurry and I forgot to attach an important
document. Please see attached.
Best Regards,
User |
Hello,
I resent this email as attachment because
it was previously blocked by your email filters.
Please read the attachment and respond.
Thanks,User |
Hello,
Sorry, I forgot to attach the new contact information.
Please view the attached (.pdf) contact sheet.
Sincerely,
User |
Attachment: <one of the following>
backup.zip
admin.zip
archivator.zip
about.zip
readme.zip
help.zip
photos.zip
payment.zip
archives.zip
manual.zip
inbox.zip
outbox.zip
save.zip
rar.zip
zip.zip
ataches.zip
documentation.zip
docs.zip
backup.doc .exe
admin.doc .exe
archivator.doc .exe
about.doc .exe
readme.doc .exe
help.doc .exe
photos.doc .exe
payment.doc .exe
archives.doc .exe
manual.doc .exe
inbox.doc .exe
outbox.doc .exe
save.doc .exe
rar.doc .exe
zip.doc .exe
ataches.doc .exe
documentation.doc .exe
docs.doc .exe
sysboot.doc .exe
Payload
Deletes Services
Win32/Bagz.D@mm may delete services if their names contain any of the following substrings, by deleting registry values in the subkeys HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS and HKEY_CURRENT_CONFIG:
pfwadmin.exe
persfw.exe
sched.exe
aswupdsv.exe
aswregsvr.exe
aswboot.exe
ashskpck.exe
ashskpcc.exe
ashsimpl.exe
ashserv.exe
ashquick.exe
ashpopwz.exe
ashmaisv.exe
ashlogv.exe
ashdisp.exe
ashchest.exe
ashbug.exe
ashavast.exe
symnavo.dll
statushp.dll
sdstp32i.dll
sdsok32i.dll
sdsnd32i.dll
sdpck32i.dll
scriptui.dll
scanmgr.dll
scandres.dll
scandlvr.dll
savscan.exe
savrtpel.sys
savrt32.dll
savrt.sys
s32navo.dll
s32integ.dll
quaropts.dat
quarantine
quar32.dll
qspak32.dll
qconsole.exe
qconres.dll
ptchinst.dll
probegse.dll
patch25d.dll
opscan.exe
officeav.dll
oeheur.dll
netbrext.dll
navwnt.exe
navw32.exe
navuihtm.dll
navui.nsi
navui.dll
navtskwz.dll
navtasks.dll
navstub.exe
navstats.dll
navshext.dll
navprod.dll
navopts.dll
navoptrf.dll
navntutl.dll
navlucbk.dll
navlogv.dll
navlnch.dll
navlcom.dll
navevent.dll
naverror.dll
navcomui.dll
navcfgwz.dll
navapw32.exe
navapw32.dll
navapsvc.exe
navapscr.dll
navap32.dll
n32exclu.dll
n32call.dll
ltchkres.dll
djsalert.dll
defalert.dll
cfgwzres.dll
cfgwiz.exe
ccimscn.exe
ccimscan.dll
ccavmail.dll
bootwarn.exe
avres.dll
avcompbr.dll
apwutil.dll
apwcmdnt.dll
aboutplg.dll
zlparser.dll
vsvault.dll
vsruledb.dll
vsmon.exe
vsdb.dll
vsavpro.dll
ssleay32.dll
cerbprovider.pvx
camupd.dll
zonealarm.exe
zl_priv.htm
zlclient.exe
zav.zap
zauninst.exe
zatutor.exe
tutorwiz.dll
security.zap
programs.zap
idlock.zap
framewrk.dll
firewall.zap
filter.zap
email.zap
alert.zap
wormres.dll
vsowow.dll
vsoupd.dll
vsoui.dll
mcshield.dll
vsagntui.dll
shlres.dll
shextres.inf
shextbin.inf
scrstres.inf
scrpsbin.inf
scrpres.dll
scanserv.dll
scan.dat
patchw32.dll
outscres.dll
outscan.dll
ntclient.dll
naievent.dll
naiann.dll
mcvsworm.dll
mcvsskt.dll
mcvsshld.exe
mcvsshl.dll
mcvsscrp.dll
mcvsrte.exe
mcvsmap.exe
mcvsftsn.exe
mcvsescn.exe
mcvsctl.dll
mcurial.dll
mcshield.exe
mcscan32.dll
mcmnhdlr.exe
mcavtsub.dll
imscnres.inf
imscnbin.inf
ftscnres.dll
emscnres.dll
edisk.dll
ashldres.dll
appinit.ini
804mbd1.img
804mbd1.chk
mghtml.exe
mcinfo.exe
mcappins.exe
dunzip32.dll
mvtx.exe
mpfwizard.exe
mpfupdchk.dll
mpfui.dll
mpftray.exe
mpfservice.exe
mpfconsole.exe
mpfagent.exe
Blocks Access To Sites
Modify the Windows system hosts file commonly located in the folder <system folder>\drivers\etc\hosts, to prevent access to security-related Web sites. For example, the modified hosts file contains the following entries:
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fastclick.net
127.0.0.1 ads.fastclick.net
127.0.0.1 ar.atwola.com
127.0.0.1 atdmt.com
127.0.0.1 avp.ch
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 awaps.net
127.0.0.1 banner.fastclick.net
127.0.0.1 banners.fastclick.net
127.0.0.1 ca.com
127.0.0.1 click.atdmt.com
127.0.0.1 clicks.atdmt.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 engine.awaps.net
127.0.0.1 fastclick.net
127.0.0.1 f-secure.com
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 go.microsoft.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 media.fastclick.net
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 office.microsoft.com
127.0.0.1 phx.corporate-ir.net
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 spd.atdmt.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.ru
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.ch
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.ru
127.0.0.1 www3.ca.com
Downloads Files
Attempt to run the file run32.exe which was previously dropped by the worm to download additional files from the following remote Web sites:
192.168.0.6
pong.ug66.biz
ping.rbagz.biz
wefed.biz
warfed.biz
Analysis by Lena Lin
