W32/Bagle.AB@mm

Analysis

Specifics
This minor variant of Bagle.AA is 32-bit with a packed file size in excess of 19,968 bytes - the virus may have appended garbage or random data beyond hex offset 0x4dff (19,968 bytes). This threat contains code to access a hard-coded web address possibly to post infection data as well as send itself by email to others. On an infected system, these files may exist in the System or System32 folder -

drvddll.exe - 19,968+ bytes - copy of the virus
drvddll.exeopen - 19,968+ bytes - copy of the virus
drvddll.exeopenopen - 21,508+ - control panel applet [.CPL] format of virus

The virus may send itself as a .SCR, .PIF, .CPL or .EXE file attachment. The virus may on occasion send itself as either a .VBS or .HTA file attachment - if this file is opened, it will extract a copy of the virus as an encoded EXE, then run the file. The virus could also send itself as a password protected .ZIP file, with the password listed in the body text.

This variant implements use of several Mutex references in an effort to not be removed by variants of W32/Netsky family of viruses. By creating Mutex names which resemble ones already in use by variants of Netsky, this variant of Bagle practically ensures that its process will not be terminated by certain variants of Netsky, if they were to be run on the infected system. These are the Mutex references created -

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D

'D'r'o'p'p'e'd'S'k'y'N'e't'

_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_

[SkyNet.cz]SystemsMutex

AdmSkynetJklS003

____--->>>>U<<<<--____

_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

Application Termination Payload
If the virus is run, it will seek applications and processes already running in memory; if any are found to match a hard-coded list, they are closed or terminated. The application list contains numerous programs and includes mainly security applications such as firewall or antivirus software.

Load at Windows Startup
If this virus is run, it will copy itself to the System or System32 folder as "drvddll.exe" and then it will modify the registry to auto run at next Windows startup -

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"drvddll.exe" = C:\WINNT\System32\drvddll.exe

Email Spreading
When this virus is run, it harvests email addresses by searching files with specific extensions. Next, the virus constructs an email message with an infected attachment and varied subject lines and body text. The file names used are also varied, and will be at least 19,968 bytes in size. The file attachment may have an icon which makes the attached file look like a MS Outlook message file. The "From" address is spoofed as with other Bagle variants.

Remote Access Capability
This virus will open a connection on TCP port 2535 to await instructions from a malicious user. Also in doing so, the virus will attempt to connect with one of several web addresses and possibly post information to a server-side script. The web addresses appear to be systems which were compromised at some point in order to host the script file. These are some of the possible URLs that the virus will connect with -

spiegel.de - 195.71.11.67
leipziger-messe.de - 194.25.105.210
mobile.de - 213.238.62.161
neformal.de - 81.88.34.53, 81.88.34.54
avh.de - 195.124.174.250
Goethe.de - 195.127.17.194
degruyter.de - 212.87.39.252
heise.de - 193.99.144.71
autoscout24.de - 212.18.30.41
russische-botschaft.de - 212.227.118.97
bmbf.de - 213.144.21.70
hamann-motorsport.de - 212.227.46.140
fracht-24.de - 195.20.225.17
loveparade.de - 62.50.34.24
dalnoboyshic.de - 62.67.235.30
Deutschland.de - 194.95.176.70
ac-schnitzer.de - 217.69.78.15

Using a server-side script to log infections or locations of malware installations is a common alert mechanism of remote access threats.

Miscellaneous
This virus appends garbage data beyond hexadecimal offset 0x4dff (19,968 bytes) in .EXE, .SCR and .PIF files. In .CPL files, the offset is 0x5403 (21,508 bytes). This makes MD5 checksum identification ineffective.

This variant contains a short poem in its unpacked virus body -

In a difficult world
In a nameless time
I want to survive
So, you will be mine
-- Bagle Author, 29.04.04, Germany.

Recommended Action

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  
• Using the FortiGate manager, enable blocking of .PIF, .SCR, .EXE, .VBS, .HTA & .CPL files across SMTP, POP3 and IMAP - it may require adding some of these extensions to the list
  
• Using the FortiGate manager, define a service using TCP port 2535 named "Bagle", then enable blocking of this port