FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Win32.HLLM.Beagle.19802

(PE_SALITY.AE, WORM_BAGLE.DAM, Virus:Win32/Sality.M, I-Worm/Bagle.JT, PE_SALITY.AC-O, W32/Bagle.gen!Sality, Worm:Win32/Bagle.IE@mm, Win32.Bagle.FK@mm, Win32/Bagle.DT, Win32.Bagle.FL@mm, Email-Worm.Win32.Bagle.fl, New Downloader, Email-Worm.Win32.Bagle.fk, Win32/Sality, Win32/Bagle.AN, Win32.HLLP.Kuku.303a, Worm/Bagle.FJ, Win32.HLLP.Kuku.303b, TROJ_DLOADER.BOI, Win32.HLLP.Kuku.304)

Added to the Dr.Web virus database: 2006-02-04

Virus description added:

Virus Type: Mass mailing worm

Affected OS: Win95/98/Me/2000/XP

Size: 19 802 byte

Packed by: UPX

Technical Information

  • Spreads via e-mail using its own SMTP-protocol realization

  • For providing its further running during each Windows reboot creates key
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "DsplObjects" = "%System%\windspl.exe"

  • Creates files %System%\windspl.exe, %Windir%\regisp32.exe

  • During search of addresses for further spreading scans computer’s hard disks for looking through files with following extensions:

    .wab
    .txt
    .msg
    .htm
    .shtm
    .stm
    .xml
    .dbx
    .mbx
    .mdx
    .eml
    .nch
    .mmf
    .ods
    .cfg
    .asp
    .php
    .pl
    .wsh
    .adb
    .tbb
    .sht
    .xls
    .oft
    .uin
    .cgi
    .mht
    .dhtm
    .jsp

  • Searches for folders which contain SHAR substring. In case of finding such ones puts its copies with following filenames into them:

    Microsoft Office 2003 Crack, Working!.exe
    Microsoft Windows XP, WinXP Crack, working Keygen.exe
    Microsoft Office XP working Crack, Keygen.exe
    Porno, sex, oral, anal cool, awesome!!.exe
    Porno Screensaver.scr
    Serials.txt.exe
    KAV 5.0
    Kaspersky Antivirus 5.0
    Porno pics arhive, xxx.exe
    Windows Sourcecode update.doc.exe
    Ahead Nero 7.exe
    Windown Longhorn Beta Leak.exe
    Opera 8 New!.exe
    XXX hardcore images.exe
    WinAmp 6 New!.exe
    WinAmp 5 Pro Keygen Crack Update.exe
    Adobe Photoshop 9 full.exe
    Matrix 3 Revolution English Subtitles.exe
    ACDSee 9.exe

  • Contains backdoor-function: opens and examines listens TCP 6777 port in expectation of remote user’s commands.

  • Looks through registry branches
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    in order to detect either there are such records:

    My AV
    Zone Labs Client Ex
    9XHtProtect
    Antivirus
    Special Firewall Service
    service
    Tiny AV
    ICQNet
    HtProtect
    NetDy
    Jammer2nd
    FirewallSvr
    MsInfo
    SysMonXP
    EasyAV
    PandaAVEngine
    Norton Antivirus AV
    KasperskyAVEng
    SkynetsRevenge
    ICQ Net

    • and, in case of finding such records, tries to delete them.

  • Themes for copies which are spread via e-mail are chosen out of the following list:

    Gwd: Msg reply
    Gwd: Hello :-)
    Gwd: Yahoo!!!
    Gwd: Thank you!
    Gwd: Thanks :)
    Gwd: Text message
    Gwd: Document
    Gwd: Incoming message
    Gwd: Incoming Message
    Gwd: Incoming Msg
    Gwd: Message Notify
    Gwd: Notification
    Gwd: Changes..
    Gwd: Update
    Gwd: Fax Message
    Gwd: Protected message
    Gwd: Protected message
    Gwd: Forum notify
    Gwd: Site changes
    Gwd: Hi
    Gwd: crypted document

  • Here are the examples of message body:

    Ok. Read the attach.
    Ok. Your file is attached.
    Ok. More info is in attach
    Ok. See attach.
    Ok. Please, have a look at the attached file.
    Ok. Your document is attached.
    Ok. Please, read the document.
    Ok. Attach tells everything.
    Ok. Attached file tells everything.
    Ok. Check attached file for details.
    Ok. Check attached file.
    Ok. Pay attention at the attach.
    Ok. See the attached file for details.
    Ok. Message is in attach
    Ok. Here is the file.

  • In order to avoid multiple starts of its copies, worm creates distinctive semaphores

    MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
    smtp_bagla_1000.

  • Doesn’t perform spreading to the addresses which contain such substrings:

    @hotmail
    @msn
    @microsoft
    rating@
    f-secur
    news
    update
    anyone@
    bugs@
    contract@
    feste
    gold-certs@
    help@
    info@
    nobody@
    noone@
    kasp
    admin
    icrosoft
    support
    ntivi
    unix
    bsd
    linux
    listserv
    certific
    sopho
    @foo
    @iana
    free-av
    @messagelab
    winzip
    google
    winrar
    samples
    abuse
    panda
    cafee
    spam
    pgp
    @avp.
    noreply
    local
    root@
    postmaster@

  • Attachments are in the form of files with double extension.
    First one can be:

    .ni
    .cfg
    .txt
    .vxd
    .def
    .dll

  • Second one can be:

    .exe
    .com
    .scr

  • Attachment filename is chosen out of such list:

    www.cumonherface
    Details
    XXX_livebabes
    XXX_PornoUpdates
    xxxporno
    fuck_her
    Info
    Common
    MoreInfo
    Message

  • In order to update its modules worm looks through recourses. List of these recourses is stored in worm’s body.

    • System Recovery Information
    1. Load Windows in Safe Mode.
    2. Scan computer with Dr.Web® Scanner or freeware utility Dr.Web® CureIT!. It's necessary to apply action "Cure" to all infected files which were found.
    3. Recover system registry from backup copy.

    Important! Directly before doing of item 2, it's necessary to adjust the used email client so that it stored attachments as separate files, instead of in a body of email base. For example, storage of attachments separately from email base in email client TheBat! is adjusted as follows:
    Account - Properties - Files & Directories - Keep attachment files - Separately in a special directory.