W32/Bagle.AB@mm
Analysis
Specifics
This minor variant of Bagle.AA is 32-bit with a packed
file size in excess of 19,968 bytes - the virus may
have appended garbage or random data beyond hex offset
0x4dff (19,968 bytes). This threat contains code to
access a hard-coded web address possibly to post infection
data as well as send itself by email to others. On an
infected system, these files may exist in the System
or System32 folder -
drvddll.exe - 19,968+ bytes - copy of the virus
drvddll.exeopen - 19,968+ bytes - copy of the virus
drvddll.exeopenopen - 21,508+ - control panel applet
[.CPL] format of virus
The virus may send itself as a .SCR, .PIF, .CPL or .EXE file attachment. The virus may on occasion send itself as either a .VBS or .HTA file attachment - if this file is opened, it will extract a copy of the virus as an encoded EXE, then run the file. The virus could also send itself as a password protected .ZIP file, with the password listed in the body text.
This variant implements use of several Mutex references in an effort to not be removed by variants of W32/Netsky family of viruses. By creating Mutex names which resemble ones already in use by variants of Netsky, this variant of Bagle practically ensures that its process will not be terminated by certain variants of Netsky, if they were to be run on the infected system. These are the Mutex references created -
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
Application Termination Payload
If the virus is run, it will seek applications and processes
already running in memory; if any are found to match
a hard-coded list, they are closed or terminated. The
application list contains numerous programs and includes
mainly security applications such as firewall or antivirus
software.
Load at Windows Startup
If this virus is run, it will copy itself to the System
or System32 folder as "drvddll.exe" and then
it will modify the registry to auto run at next Windows
startup -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"drvddll.exe" = C:\WINNT\System32\drvddll.exe
Email Spreading
When this virus is run, it harvests email addresses
by searching files with specific extensions. Next, the
virus constructs an email message with an infected attachment
and varied subject lines and body text. The file names
used are also varied, and will be at least 19,968 bytes
in size. The file attachment may have an icon which
makes the attached file look like a MS Outlook message
file. The "From" address is spoofed as with
other Bagle variants.
Remote Access Capability
This virus will open a connection on TCP port 2535 to
await instructions from a malicious user. Also in doing
so, the virus will attempt to connect with one of several
web addresses and possibly post information to a server-side
script. The web addresses appear to be systems which
were compromised at some point in order to host the
script file. These are some of the possible URLs that
the virus will connect with -
spiegel.de - 195.71.11.67
leipziger-messe.de - 194.25.105.210
mobile.de - 213.238.62.161
neformal.de - 81.88.34.53, 81.88.34.54
avh.de - 195.124.174.250
Goethe.de - 195.127.17.194
degruyter.de - 212.87.39.252
heise.de - 193.99.144.71
autoscout24.de - 212.18.30.41
russische-botschaft.de - 212.227.118.97
bmbf.de - 213.144.21.70
hamann-motorsport.de - 212.227.46.140
fracht-24.de - 195.20.225.17
loveparade.de - 62.50.34.24
dalnoboyshic.de - 62.67.235.30
Deutschland.de - 194.95.176.70
ac-schnitzer.de - 217.69.78.15
Using a server-side script to log infections or locations of malware installations is a common alert mechanism of remote access threats.
Miscellaneous
This virus appends garbage data beyond hexadecimal offset
0x4dff (19,968 bytes) in .EXE, .SCR and .PIF files.
In .CPL files, the offset is 0x5403 (21,508 bytes).
This makes MD5 checksum identification ineffective.
This variant contains a short poem in its unpacked virus body -
In a difficult
world
In a nameless time
I want to survive
So, you will be mine
-- Bagle Author, 29.04.04, Germany.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, enable blocking of
.PIF, .SCR, .EXE, .VBS, .HTA & .CPL files across
SMTP, POP3 and IMAP - it may require adding some of
these extensions to the list
- Using the FortiGate manager, define a service using
TCP port 2535 named "Bagle", then enable
blocking of this port
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |