Request Services
  Data Systems Services
  About Data Systems
  News & Announcements
 
Virus Alert
Virus Hoaxes
  Quick Links
  Classroom Reservations
  Equipment Reservations
  Software Downloads
 
Data Systems Only! (Password Protected)
  Live Remote Assistance
 


Bagle.E Worm

003/01/04 - Bagle.E

This new variant has the same functionalities as the .c variant. It uses different file names to write to the local machine. The file size is different.

This is a mass-mailing worm with the following characteristics:

contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
contains a remote access component (notification is sent to hacker)

If you think that you may be infected with Bagle.e, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

Messages are constructed as follows:

From : (address is spoofed)
Body : (Message body is empty)
Subject :

Accounts department
Ahtung!
Camila
Daily activity report
Flayers among us
Freedom for everyone
From Hair-cutter
From me
Greet the day
Hardware devices price-list
Hello my friend
Hi!
Jenny
Jessica
Looking for the report
Maria
Melissa
Monthly incomings summary
New Price-list
Price
Price list
Pricelist
Price-list
Proclivity to servitude
Registration confirmation
The account
The employee
The summary
USA government abolishes the capital punishment
Weekly activity report
Well...
You are dismissed
You really love me? he he

Attachment : randomly named binary within a .ZIP file (~16KB).

The EXE file within the ZIP archive uses the following icon, to make it appear that the file is text file.

Like its predecessors, this worm checks the system date. If it is the 25th March 2004 or later, the worm simply exits and does not propagate.

Upon running the file, Notepad.exe is opened, with a blank window.

The virus copies itself into the Windows system directory as i1ru74n4.exe, for example:

C:\WINNT\SYSTEM32\i1ru74n4.exe

It also creates other files in this directory to perform its functions:

godo.exe (18,944 bytes) - DLL to perform mailing
ii455nj4.exe (1,536 bytes) - DLL loader
i1ru74n4.exeopen (~16KB) - ZIP to be sent via email
The following Registry key is added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "rate.exe" = C:\WINNT\SYSTEM32\i1ru74n4.exe
Additionally, the following Registry keys are added:

HKEY_CURRENT_USER\Software\DateTime2 "frun"
HKEY_CURRENT_USER\Software\DateTime2 "uid"
HKEY_CURRENT_USER\Software\DateTime2 "port"
A mutex called "imain_mutex" is created to ensure only one instance of the worm is running at a time.

This worm attempts to terminate the process of security programs with the the following filenames:

ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_101061.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger

More info on this worm:
http://vil.nai.com/vil/content/v_101061.htm

Back to the top