Selected viruses, spyware, and other threats: sorted alphabetically
E-mail Subject
The subject of an e-mail with Win32/Bagle.GM is chosen from the list below.
Ales
Alice
Alyce
Andrew
Androw
Androwe
Ann
Anna
Anne
Annes
Anthonie
Anthony
Anthonye
Avice
Avis
Bennet
Bennett
Constance
Cybil
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edward
Edwarde
Elizabeth
Elizabethe
Ellen
Ellyn
Emanual
Emanuel
Emanuell
Ester
Frances
Francis
Fraunces
Gabriell
Geoffraie
George
Grace
Harry
Harrye
Henrie
Henry
Henrye
Hughe
Humphrey
Humphrie
Christean
Christian
Isabel
Isabell
James
Jane
Jeames
Jeffrey
Jeffrye
Joane
Johen
John
Josias
Judeth
Judith
Judithe
Katherine
Katheryne
Leonard
Leonarde
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Marie
Martha
Mary
Marye
Michael
Mychaell
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholaus
Nycholas
Peter
Ralph
Rebecka
Richard
Richarde
Robert
Roberte
Roger
Rose
Rycharde
Samuell
Sara
Sidney
Sindony
Stephen
Susan
Susanna
Suzanna
Sybell
Sybyll
Syndony
Thomas
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede
Also the archive name is chosen from the list above. It contains executable file with the worm. The archive is protected by a password that is in attached picture.
E-mail Body:
E-mail body can begin with one of following salutations:
To the beloved
I love you
The message continues further with one of the following texts:
The password is
Password --
Use password
Password is
Zip password:
archive password:
Password -
Password:
Installation and Autostart Technique
Upon first execution Win32/Bagle.GM copies itself in C:\Documents and Settings\username\Application Data\hidn directory as “hidn.exe“. In the same directory it creates “m_hook.sys“. This file disguise the worm in the system. It uses the techniques of so called Rootkits.
In order to be run on every system start, the worm sets "drv_st_key" registry entry in the key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Its value is set every five minutes on "C:\Documents and Settings\username\Application Data\hidn\hidn.exe"
Further, it creates C:\error.gif file containing „Error” text. Then it creates the picture using appropriate picture viewer.
The worm tries to terminate and ban following services:
Aavmker4
ABVPN2K
ADBLOCK.DLL
ADFirewall
AFWMCL
Ahnlab task Scheduler
alerter
AlertManger
AntiVir Service
AntiyFirewall
ARP.DLL
aswMon2
aswRdr
aswTdi
aswUpdSv
Ati HotKey Poller
avast! Antivirus
avast! Mail Scanner
avast! Web Scanner
AVEService
AVExch32Service
AvFlt
Avg7Alrt
Avg7Core
Avg7RsW
Avg7RsXP
Avg7UpdSvc
AvgCore
AvgFsh
AVGFwSrv
AvgFwSvr
AvgServ
AvgTdi
AVIRAMailService
AVIRAService
avpcc
AVUPDService
AVWUpSrv
AvxIni
awhost32
backweb client-4476822
backweb client - 4476822
BackWeb Client - 7681197
Bdfndisf
bdftdif
bdss
BlackICE
BsFileSpy
BsFirewall
BsMailProxy
CAISafe
ccEvtMgr
ccPwdSvc
ccSetMgr
ccSetMgr.exe
CONTENT.DLL
DefWatch
DNSCACHE.DLL
drwebnet
dvpapi
dvpinit
ewido security suite control
ewido security suite driver
ewido security suite guard
F-Prot Antivirus Update Monitor
F-Secure Gatekeeper Handler Starter
firewall
fsbwsys
FSDFWD
FSFW
FSMA
FTPFILT.DLL
FwcAgent
fwdrv
Guard NT
HSnSFW
HSnSPro
HTMLFILT.DLL
HTTPFILT.DLL
IMAPFILT.DLL
InoRPC
InoRT
InoTask
Ip6Fw
Ip6FwHlp
KAVMonitorService
KAVSvc
KLBLMain
KPfwSvc
KWatch3
KWatchSvc
MAILFILT.DLL
McAfee Firewall
McAfeeFramework
McShield
McTaskManager
mcupdmgr.exe
MCVSRte
Microsoft NetWork FireWall Services
MonSvcNT
MpfService
navapsvc
NDIS_RD
Ndisuio
Network Associates Log Service
nipsvc
NISSERV
NISUM
NNTPFILT.DLL
NOD32ControlCenter
NOD32krn
NOD32Service
Norman NJeeves
Norman Type-R
Norman ZANDA
Norton AntiVirus Server
NPDriver
NPFMntor
NProtectService
NSCTOP
nvcoas
NVCScheduler
nwclntc
nwclntd
nwclnte
nwclntf
nwclntg
nwclnth
NWService
OfcPfwSvc
Outbreak Manager
Outpost Firewall
OutpostFirewall
PASSRV
PAVAGENTE
PavAtScheduler
PAVDRV
PAVFIRES
PAVFNSVR
Pavkre
PavProc
PavProt
PavPrSrv
PavReport
PAVSRV
PCC_PFW
PCCPFW
PersFW
Personal Firewall
POP3FILT.DLL
PREVSRV
PROTECT.DLL
PSIMSVC
qhwscsvc
Quick Heal Online Protection
ravmon8
RfwService
SAVFMSE
SAVScan
SBService
SECRET.DLL
SharedAccess
schscnt
SmcService
SNDSrvc
SPBBCSvc
SpiderNT
SweepNet
SWEEPSRV.SYS
Symantec AntiVirus Client
Symantec Core LC
T_H_S_M
The_Hacker_Antivirus
tm_cfw
Tmntsrv
TmPfw
tmproxy
tmtdi
V3MonNT
V3MonSvc
Vba32ECM
Vba32ifs
Vba32Ldr
Vba32PP3
VBCompManService
VexiraAntivirus
VFILT
VisNetic AntiVirus Plug-in
vrfwsvc
vsmon
VSSERV
WinAntivirus
WinRoute
wscsvc
wuauserv
xcomm
E-mail Addresses Harvesting
E-mail addresses for further spreading are searched for in local files with one of the following extensions:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml
Addresses containing one of the following strings are avoided:
..
.@
@.
@avp.
@foo
@iana
@messagelab
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip
Other Information:
The worm tries to download file from one of 99 addresses every two hours. Then it is saved as "%system%\re_file.exe" and subsequently executed.
NOD32 detected Win32/Bagle.GM worm using advanced heuristics without an update.
A signature for Win32/Bagle.GM was added in version 1.822.
