Virus Database

I-Worm.Bagle.al

Description I-Worm.Bagle.al

Bagle.al is a worm that spreads as an email attachment and via file sharing networks.
The worm is written in Assembler.
Bagle.al is made up of 2 main components:
A ZIP file spreading as an email attachment;
the body of the worm, which is downloaded from specified websites.
Payload
The ZIP file containing the downloader is 5932 bytes in size and contains two files:
price.html
priceprice.exe
The file price.html contains a malicious script named exploit.CodeBaseExec, which automatically launches price.exe.
Price.exe is a Trojan dropper designed to install the downloader that will in turn download the body of the worm onto the victim machine. The dropper is 14848 bytes. After it is launched, the dropper copies itself into the Windows system directory under the name windirect.exe and creates the following system registry auto run key:
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun]
"win_upd2.exe"="%system%windirect.exe"
It then extracts and saves the downloader in the Windows system directory under the name _dll.exe and launches the downloader (the dll file is 11776 bytes). _dllexe file ends the following processes:
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
sys_xp.exe
sysxp.exe
UPDATE.EXE
winxp.exe
Finally, the downloader attempts to download the body of the worm from one of the web sites listed in the dll files. If the worm is successfully downloaded, the Trojan launches it.
The worm component
Bagle.al is based on the source codes spread by Bagle.aa and is 19460 bytes in size.
Installation
Once Bagle.al is launched by the downloader component, it copies itself into the Windows system directory with the name windll.exe and registers the following system registry auto run key:
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun]
"erthgdr"="%system%windll.exe"
Bagle.al creates two additional files in the Windows system folder:
windll.exeopen
windll.exeopenopen
Propagation via email
Bagle.al scans the hard drive for files with the following extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml


The worm uses a built-in SMTP server to mail copies of itself to all email addresses harvested from these files.
Infected emails
Subject:
none
Message body:
new price
price
The text is presented as an HTML page.
Attachment name (one of the below, chosen at random):
08_price.zip
new__price.zip
new_price.zip
newprice.zip
price.zip
price_08.zip
price_new.zip
price2.zip
Bagle.al can spread as a password protected ZIP file, in which case the password will be included in the body of the letter either in text or graphic form.Bagle.al will not send infected emails to recipients when the address contains any of the following text strings:
@avp.
@derewrdgrs
@eerswqe
@foo
@iana
@messagelab
@microsoft
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
feste
free-av
f-secur
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip


Propagation via P2P
Bagle.al scans the hard drive for files containing the text string 'shar' copies itself into all of these under the following names:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Remote administration
Bagle.al opens port 80 on the local HTTP server allowing the controller to download and execute files on the infected machine.
Other
The worm component of Bagle.al is scheduled to stop functioning and slef-destruct after August 10, 2004. However, the downloader module will remain available for possible use for an unspecified period of time.

Check other viruses! Be aware! Use Antiviral Software

GGM Family

Description GGM Family

These are not dangerous memory resident parasitic viruses. They hook INT 8, 21h and write themselves to the end of .EXE files. As the first the "GGM.936" virus infect the C:DOSSMARTDRV.EXE file. Then that virus infects the files that are executed. That virus checks the file name, compares the name beginning (two letters) with the string:
sctbclf-fp

and does not infect the anti-viruses SCAN, TB*, CLEAN, F-PROT and FPROT.
"GGM.898" infects only one file - C:TESTTESTTESTTESTTEST.EXE, and seems to be a test virus.
By hooking INT 8 the viruses checks the text that is typed and echoed on the screen. When the string "givegodmode" is entered, the virus adds the string "65535". When "iamtheboss" is entered, the virus puts to the keyboard buffer: "ctty com". When the string "checkboxports" is entered, the virus writes some data to the COM1 port.

Ghh.482

Description Ghh.482

It's a dangerous memory resident parasitic virus. It hooks INT 1Ch, 21h and writes itself to the beginning of COM-files that are executed. On each timer tick (INT 1Ch) it scans the screen for the "THE GHH" string, and erases the disk sectors if that string is found.

Home