BleepingComputer.com: Bagle.CF - New variant uses "Taxes" theme

This new variant uses a theme of "increases in taxes" in it's social engineering approach. F-Secure ranks this as 2 of 3 (Medium Risk)

Bagle.CF - New variant uses "Taxes" theme (medium at F-Secure)
http://www.f-secure.com/v-descs/bagle_cf.shtml
http://www3.ca.com/securityadvisor/virusin...s.aspx?id=43331
http://www.sarc.com/avcenter/venc/data/w32.beagle.ce@mm.html

F-Secure - Weblog Discussion (several new variants)
http://www.f-secure.com/weblog/

Another new Bagle variant - Bagle.CF has been found on August 11th, 2005. This variant is very similair to previous variant, Bagle.BY. Bagle.CF comes inside a RAR archive containing file 'Taxes.exe'. The name of the RAR archive can vary, but is somehow Tax-related, for example 'Increase_in_the_tax.rar'. Instead of picture icon, Bagle.CF uses text file icon.

Quote

Thats interesting. I got that one this morning if anyone wants it.

Got one yesterday and two so far today.

Also interesting is I use two email addresses from my ISP and the third one was addressed to the main one I use where the first was to my mother's. And the spoofed From address actually takes the name of the address it's being sent to.

For example I'll make up some addresses. Say the first is JohnDoe3at domain name. And the Second is JaneDoe90 at domain name. The From address that I'm getting for the first email address I use is John, and the From from the second address is Jane. Or it may be JohnDoe and JaneDoe--I mix numbers into a nonexistant name in my actual adresses for security reasons so it may be that it's just stripping out the numbers.

How bout you Leurgy? You seeing the same thing?

Exactly the same. One of my primary email addresses is, say, joeblowc554 at domain name. The virus came from joeblow at whiskey.ru. Makes it pretty obvious that its suspicious as I don't often send email to myself except for test purposes.

I also received a similar Bagel CF e-mail this a.m.

The sending addee is also exactly as you describe PK, a stripped version of my legit addy "@163.com"

Untitled with "To_reduce_the_tax.rar" attachment.

My ISP had marked the e-mail as Spam.

Trend report
=====================================================
WORM_BAGLE.CG

File type: PE

Memory resident: Yes

Size of malware: Varies

Initial samples received on: Aug 12, 2005

Related to: TROJ_BAGLE.BI


--------------------------------------------------------------------------------

Payload 1: Deletes a registry entry

Trigger condition 1: System date is later than April 12, 2008


--------------------------------------------------------------------------------

Payload 2: Prevents NETSKY variants from running on the affected machine

Trigger condition 1: Upon execution


--------------------------------------------------------------------------------

Payload 3: Downloads files

Trigger condition 1: Upon execution


--------------------------------------------------------------------------------



--------------------------------------------------------------------------------

Details:



Installation and Registry Modification

This memory-resident worm usually arrives on a system as a downloaded file of another malware, such as TROJ_BAGLE.BI.

Upon execution, it drops a copy of itself in the Windows system folder as the file SVC23.EXE. It then creates the following registry keys and entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Ru1n
erthgdr2 = "%System%\svc23.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ru1n
erthgdr2 = "%System%\svc23.exe"

HKEY_USERS\.DEFAULT\Software\Microsoft\
Windows\CurrentVersion\Ru1n
erthgdr2 = "%System%\svc23.exe"

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.)

Since this worm fails to add a proper autostart entry on the affected system's registry, it does not automatically execute whenever the system is restarted.

Mass-mailing Routine

Like other BAGLE variants, this memory-resident worm utilizes a Trojan downloader to propagate. It uses its own SMTP engine to mass-mail copies of TROJ_BAGLE.BI to target recipients, while the said Trojan, in turn, downloads a copy of this worm into affected systems.

The email message it sends out contains the following details:

From: {spoofed}

Subject: {blank}

Message body: (any of the following)
• Password:
• The password is

Attachment: (a copy of the Trojan using any of the following file names, followed by a .RAR or a .ZIP extension)
• Increase_in_the_tax
• Taxes
• The_reporting_of_taxes
• The_taxation
• To_reduce_the_tax
• Work and taxes

(Note: The archive file contains an executable file named TAXES.EXE, which is a copy of TROJ_BAGLE.BI.)

Notably, the Trojan attachment uses file names related to taxes as a timely social engineering technique, since the deadline for filing of taxes in the United States is extended until August 15, 2005.

However, it avoids sending email messages to addresses that contain any of the following strings:

@avp.
@derewrdgrs
@eerswqe
@iana
@messagelab
@microsoft
abuse
admin
anyone@
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
google
help@
icrosoft
info@
linux
listserv
nobody@
noone@
ntivi
panda
rating@
samples
sopho
support
update
winrar
winzip
Registry Deletion

This worm worm deletes entries associated with antivirus and security applications from the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Ru1n

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ru1n


The following are the registry entries it deletes from the abovementioned keys:

9XHtProtect
Antivirus
EasyAV
FirewallSvr
HtProtect
ICQ Net
ICQNet
Jammer2nd
KasperskyAVEng
MsInfo
My AV
NetDy
Norton Antivirus AV
PandaAVEngine
service
SkynetsRevenge
Special Firewall Service
SysMonXP
Tiny AV
Zone Labs Client Ex
File Download

This worm attempts to download the file RE_FILE.EXE from the following Web sites:

http://lo{BLOCKED}a2/s1.php
http://lo{BLOCKED}a2/s3.php
It also attempts to download the file EML.EXE from the following URLs:

http://ame{BLOCKED}kansk-bulldog.dk/images/web.php
http://car{BLOCKED}oodcontracting.com/2/web.php
http://cli{BLOCKED}hare.com/images/web.php
http://cpt{BLOCKED}.com/2/web.php
http://cre{BLOCKED}ionesartisticasandaluza...bovedas/web.php
http://dgg{BLOCKED}phicsonline.com/images/web.php
http://dir{BLOCKED}teenhuis.nl/images/web.php
http://doe{BLOCKED}er-torbau.de/images/web.php
http://dor{BLOCKED}vis.com/images/web.php
http://dow{BLOCKED}iththesickness.com/images/web.php
http://dre{BLOCKED}decor.com.pl/images/web.php
http://dun{BLOCKED}ec.zakliczyn.pnth.net/dunajec/web.php
http://eks{BLOCKED}ine.com/images/web.php
http://ess{BLOCKED}line.us/images/web.php
http://eve{BLOCKED}peopleforyou.com/help/web.php
http://fal{BLOCKED}nframingco.com/images/web.php
http://fam{BLOCKED}iasmaltratadas.com/images/web.php
http://fib{BLOCKED}design.co.uk/images/web.php
http://fib{BLOCKED}feed.com/images/web.php
http://fin{BLOCKED}ngmodels.net/images/web.php
http://fpc{BLOCKED}.org/images/web.php
http://fye{BLOCKED}.com/lyra/web.php
http://gam{BLOCKED}py.cz/images/web.php
http://gol{BLOCKED}mira.com/test/web.php
http://got{BLOCKED}mk.ua/images/web.php
http://lig{BLOCKED}ichangueras.cl/images/web.php
http://phd{BLOCKED}mark.dk/images/web.php
http://rep{BLOCKED}sentacion4380.net/images/web.php
However, these Web sites are already inaccessible as of this writing.

NETSKY Retaliation

Similar to earlier BAGLE variants, this worm also prevents the execution of NETSKY worm variants on the affected system by creating the following mutexes:

'D'r'o'p'p'e'd'S'k'y'N'e't'
[SkyNet.cz]SystemsMutex
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
____--->>>>U<<<<--____
AdmSkynetJklS003
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
Other Details

If the system date is later than April 12, 2008, this worm attempts to delete the following registry entry before terminating itself:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ru1n
erthgdr2 = "%System%\svc23.exe"

It runs on Windows 98, ME, NT, 2000, and XP.




Analysis By: Alvin Jethro Calderon Bacani

Revision History:
First pattern file version: 2.777.00
First pattern file release date: Aug 12, 2005




=====================================================


My computer is affected by the taxes file I recieved at 12 August, but this one is different.
It creat a file named winshost.exe at "c:\windows\system32\ "

and changed the registration
"HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run"
"HKEY_USER\**********\Software\Microsoft\
Windows\CurrentVersion\Run"

Well, you probably got a different variant. If you check out the blog page Harry linked to last you'll see this quote:

Quote

You've reproduced a discription that Trend calls .cg. Probably yours is cb, .cc, .cd, or some other that is slightly different from the rest.

Of the three infected attachments I received, all were different variants, according to Kaspersky.

The_taxation.zip Infected Email-Worm.Win32.Bagle.cj
To_reduce_the_tax.zip Infected Email-Worm.Win32.Bagle.bq
To_reduce_the_tax.zip Infected Email-Worm.Win32.Bagle.cc

And just to remind everyone--always use security best practices when you receive an attachment. If you don't expect an attachment, even if it's from someone you know, don't fall for the social engineering and let your curiosity get the better of you. Don't open the zip files and in this case the Taxes.exe file inside it. Just delete it.

Hyle, are you still infected? Do you need help getting rid of it?

Thanks, PK
I have deleted it