Request Services
  Data Systems Services
  About Data Systems
  News & Announcements
 
Virus Alert
Virus Hoaxes
  Quick Links
  Classroom Reservations
  Equipment Reservations
  Software Downloads
 
Data Systems Only! (Password Protected)
  Live Remote Assistance
 


Bagle.N Worm

03/18/04 - Bagle.N

This Bagle variant bears the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • harvests email addresses from the victim machine
  • the From: address of messages is spoofed
  • attachment can be a password-protected zip or rar file, with the password included in the message body, or in an image file attached to the message.
  • contains a remote access component (notification is sent to hacker)
  • copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
  • encrypted polymorphic parasitic file infector

Mail Propagation

The message-bodies are constructed very similarly to those for its predecessor, using several parts, to effectively customize the email, to make it appear to be a legitimate warning notification. The details are as follows:

From : (the address may be spoofed, using the recipient's domain name and a user name taken from the following list, or another address found on the local system)

  • management@
  • administration@
  • staff@
  • noreply@
  • support@ 
  • other address found on the system

Subject :

  • Account notify
  • E-mail account disabling warning.
  • E-mail account security warning.
  • Email account utilization warning.
  • Email report
  • E-mail technical support message.
  • E-mail technical support warning.
  • E-mail warning
  • Encrypted document
  • Fax Message Received
  • Forum notify
  • Hidden message
  • Important notify
  • Important notify about your e-mail account.
  • Incoming message
  • Notify about using the e-mail account.
  • Notify about your e-mail account utilization.
  • Notify from e-mail technical support.
  • Protected message
  • Re: Document
  • Re: Hello
  • Re: Hi
  • Re: Incoming Fax
  • Re: Incoming Message
  • Re: Msg reply
  • RE: Protected message
  • RE: Text message
  • Re: Thank you!
  • Re: Thanks :)
  • Re: Yahoo!
  • Request response
  • Site changes
  • Warning about your e-mail account.

Body Text:

Greeting -

  • Dear user of %s ,
  • Dear user of %s e-mail server gateway,
  • Hello user of %s e-mail server,
  • Dear user, the management of %s mailing system wants to let you know that,

(Where %s is the user's domain is chosen from the To: address. For example the user's domain for user@mail.com  would be "mail.com")

Main message body -

  • Your e-mail account has been temporary disabled because of unauthorized access.
  • Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service.
  • Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.
  • We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
  • Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.
  • Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.

Attachment explanation -

  • Advanced details can be found in attached file.
  • Find the white rabbit.
  • Follow the wabbit.
  • For details see the attach.
  • For details see the attached file.
  • For further details see the attach.
  • For more information see the attached file.
  • Further details can be obtained from attached file.
  • Here is the file.
  • Message is in attach
  • More info in attach
  • Pay attention on attached file.
  • Please, have a look at the attached file.
  • Please, read the attach for further details.
  • Read the attach.
  • See attach.
  • See the attached file for details.
  • Your file is attached.

Password information -  (if received as a ZIP or RAR file)

  • Password: %password%
  • Pass - %password%
  • Password - %password%
  • For security reasons attached file is password protected. The password is  (attached image inserted)
  • For security purposes the attached file is password protected. Password -- (attached image inserted)
  • Note: Use password  (attached image inserted) to open archive
  • Attached file is protected with the password for security reasons. Password is (attached image inserted)
  • In order to read the attach you have to use the following password: (attached image inserted)
  • Archive password: (attached image inserted)
  • Password - (attached image inserted)
  • Password: (attached image inserted)

Closing -

  • The Management,
  • Sincerely,
  • Best wishes,
  • Have a good day,
  • Cheers,
  • Kind regards,

The (user's domain) team                           http://www. (user's domain)

(Where the first part of the closing is selected from the list. The second part is always present.)

Attachment: (May be .EXE, .PIF, .ZIP, or .RAR)

  • Attach
  • Details
  • details
  • Document
  • Encrypted
  • first_part
  • Gift
  • Info
  • Information
  • Message
  • MoreInfo
  • pub_document
  • Readme
  • Text
  • text_document
  • TextDocument
  • (The virus may also attach an image file (.BMP, .JPG, .GIF) to the message that contains the password to a password-protected zip file, which contains the virus)

The virus copies itself into the Windows System directory as WINUPD.EXE. For example:

  • C:\WINNT\SYSTEM32\WINUPD.EXE

It also creates two files, WINUPD.EXEOPEN, WINUPD.EXEOPENOPEN which may either be another copy of itself or a ZIP or RAR file to be sent in email.  It may also create another file named WINUPD.EXEOPENOPENOPEN, which is an image file containing the password as an image.

The following Registry key is added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "winupd.exe" = C:\WINNT\SYSTEM32\winupd.exe

An additional key is created as well:

  • HKEY_CURRENT_USER\Software\winupd

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_101095.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger

More info on this worm:
http://vil.nai.com/vil/content/v_101095.htm

Back to the top