WORM_BAGLE.EV - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_BAGLE.EV

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Email-Worm.Win32.Bagle.fo (Kaspersky),

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Infection Channel 1 : Propagates via email

Infection Channel 2 : Propagates via peer-to-peer networks

Description:

To get a one-glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.

WORM_BAGLE.EV Behavior Diagram

Malware Overview

This worm propagates by sending copies of itself as attachments to email messages that it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Through the said SMTP engine, it is able to easily send email messages even without using other mailing applications, such as Microsoft Outlook.

It is also capable of propagating via peer-to-peer (P2P) networks. It drops copies of itself in folders with names containing the string SHAR. This worm does the said routine under the assumption that the folder is used in P2P applications, since these applications usually require a folder with names such as My Shares or Shared Music.

These copies are named after popular applications and actresses to entice users into downloading and executing the said files.

Upon execution, this worm displays the following error message to trick users into thinking that it fails to execute:

It does the said routine to trick users into thinking that the program fails to execute.

It then creates a registry entry to run at every system startup. It also creates a registry entry to add itself to the Windows Firewall exception list, hence enabling it to bypass the affected system's firewall settings.

It deletes specific registry entries and avoids sending email messages to addresses with specific strings. These strings are related to antivirus and security applications. It does this routine to avoid early detection and removal.

It also deletes a specific registry key when the system date is November 13, 2013 and onwards.

It accesses a list of Web sites to download a possibly malicious file that may further compromise system security.

Like earlier WORM_BAGLE variants, this worm also tries to remove instances of WORM_NETSKY variants from the affected system. It does the mentioned routine by creating mutexes that are mostly associated with earlier WORM_NETSKY variants.

(Note: Mutexes are exclusion objects that prevent processes from sharing the same resources. This worm uses the mutexes to prevent the WORM_NETSKY variants from running on affected systems.)

For additional information about this threat, see:
Solution
Technical Details

Description created: Feb. 13, 2006 10:30:30 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.