Bagz.G worm variant was found on November 2nd, 2004. The first report from the field was received from Japan. The worm spreads itself in emails with various subject and body texts. The attachment is either an executable file or a ZIP archive. Additionally the worm drops a Growom proxy trojan variant.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Bagz.G worm spreads in emails inside a dropper. When the dropper's file is run, it drops 2 files in Windows System folder:
sysinfo32.exe trace32.exe
The 'sysinfo32.exe' is a Growom proxy trojan variant. The 'trace32.exe' file is the main component of the worm. It attempts to start as a service. After being started, this component creates another file in Windows System folder:
sqlssl.doc [lots of spaces] .exe
This file is the copy of the worm's dropper (can be different in size) that will be used for spreading.
Before spreading the worm looks for victims' email addresses. To collect addresses the worm scans files with the following extensions:
.TBB .tbb .TBI .tbi .DBX .dbx .HTM .htm .TXT .txt
The worm ignores email addresses if they contain any of the following substrings:
@avp @foo @iana @messagelab @microsoft abuse admin administrator@ all@ anyone@ bsd bugs@ cafee certific certs@ contact@ contract@ f-secur feste free-av gold- gold-certs@ google help@ hostmaster@ icrosoft info@ kasp linux listserv local netadmin@ news nobody@ noone@ noreply ntivi panda postmaster@ rating@ root@ samples sopho spam support support@ unix update webmaster@ winrar winzip
The worm uses its own SMTP engine to send emails. The subject of an infected email is selected from the following variants:
Allert! re: order re: please re: Andrey Vasia text Warning Administrator best regards waiting attach attachments Amirecans Russian's Hello Have a nice day office Money contract toxic urgent Read this please responce ASAP
The body of an infected email is selected from the following variants:
Hi Did you get the previous document I attached for you? I resent it in this email just in case, because I really need you to check it out asap. Best Regards
--- or ---
Hi I made a mistake and forgot to click attach on the previous email I sent you. Please give me your opinion on this opportunity when you get a chance. Best Regards
--- or ---
Hi I was supposed to send you this document yesterday. Sorry for the delay, please forward this to your family if possible. It contains important info for both of you.
--- or ---
Hi Sorry, I forgot to send an important document to you in that last email. I had an important phone call. Please checkout attached doc file when you have a moment. Best Regards
--- or ---
Hi I was in a rush and I forgot to attach an important document. Please see attached doc file. Best Regards,
--- or ---
Sorry to bother you, but I am having a problem receiving your emails. I am responding to your last email in the attached file. Please get back to me if there is any problem reading the attachment.
--- or ---
I am responding to your last email in the attached file. I had a delivery problem with your inbox, so maybe you'll receive this now.
--- or ---
Can you please check out the email I have attached? For some reason, I received only part of your last several emails. I want to make sure that there are no problems with either of our accounts.
--- or ---
This email is being sent as attachment because it was previously blocked by your email filters. Please view the attachment and respond. Thanks
--- or ---
I resent this email as attachment because it was previously blocked by your email filters. Please read the attachment and respond. Thanks
--- or ---
I apologize, but I need you to verify that I have the correct contact info for you. My system crashed last weekend and I lost most of my friends and work contacts. Please check the attached (.pdf) and please let me know if your info is current.
--- or ---
My last email to you was returned. The reason is that I am not currently added to your allowed contact list. Please add my updated contact info provided in the attached (.pdf) file so I can send you emails in the future. Sincerely
--- or ---
I have updated my email address See the (.pdf) file attached and please respond if you have any questions.
--- or ---
We have made recent updates to our database. Please verify your mailing address on file is correct. We have attached a (.pdf) sheet for you to use for your response.
--- or ---
Hello Our contact information has changed. See the attached (.pdf) sheet for details. Sincerely,
--- or ---
***URGENT: SERVICE SHUTDOWN NOTICE*** Due to your failure to comply with our email Rules and Regulations, your email account has been temporarily suspended for 24 hours unless we are contacted regarding this situation. You must read the attached document for further instructions. Failure to comply will result in termination of your account. Regards, Net Operator ***URGENT: SERVICE SHUTDOWN NOTICE***
--- or ---
***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!*** You are currently unable to send emails. This may be a billing issue. Please call the billing center. The # for the billing office is located in the attached contact list for your convenience. ***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***
--- or ---
***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM*** Hello, The previous email you sent has been recognized as spam. This means your email was not delivered to your friend or client. You must open the attached file to receive more information. ***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
--- or ---
Hello, What version of windows you are using? This last document I received from you came out weird. Please see the attached word file and resend the file to me. Many thanks, User
--- or ---
Hello, My PC crashed while I was sending that last email. I have re-attached the document of yours that I discovered. Please read attached document and respond ASAP. Sincerely, User
--- or ---
Hello, Your email was sent in an INVALID format. To verify this email was sent from you, simply open the attached email (.eml) file and click yes in the sender options box. Thank You, User
--- or ---
Hello, Your email was received. YOUR REPLY IS URGENT! Please view the attached text file for instructions. Regards, User
--- or ---
Hello, I was in a hurry and I forgot to attach an important document. Please see attached. Best Regards, User
--- or ---
Hello, I resent this email as attachment because it was previously blocked by your email filters. Please read the attachment and respond. Thanks,User
--- or ---
Hello, Sorry, I forgot to attach the new contact information. Please view the attached (.pdf) contact sheet. Sincerely, User
The worm attaches its body to email messages that it sends out. The infected attachment name is selected from the following variants:
docs.zip documentation.zip ataches.zip zip.zip rar.zip save.zip outbox.zip inbox.zip manual.zip archives.zip payment.zip photos.zip help.zip readme.zip about.zip archivator.zip admin.zip backup.zip docs.doc [lots of spaces] .exe documentation.doc [lots of spaces] .exe ataches.doc [lots of spaces] .exe zip.doc [lots of spaces] .exe rar.doc [lots of spaces] .exe save.doc [lots of spaces] .exe outbox.doc [lots of spaces] .exe inbox.doc [lots of spaces] .exe manual.doc [lots of spaces] .exe archives.doc [lots of spaces] .exe payment.doc [lots of spaces] .exe photos.doc [lots of spaces] .exe help.doc [lots of spaces] .exe readme.doc [lots of spaces] .exe about.doc [lots of spaces] .exe archivator.doc [lots of spaces] .exe admin.doc [lots of spaces] .exe backup.doc [lots of spaces] .exe
When the worm sends itself in a ZIP archive, the worm's file is stored in that archive in a non-compressed format.
The worm overwrites the HOSTS file to block access from an infected computer to the following sites:
ad.doubleclick.net ad.fastclick.net ads.fastclick.net ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net banner.fastclick.net banners.fastclick.net ca.com click.atdmt.com clicks.atdmt.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net fastclick.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com media.fastclick.net msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.fastclick.net www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.ru www3.ca.com
The worm checks the whole Registry and deletes all key values associated with the following files:
mpfagent.exe mpfconsole.exe mpfservice.exe mpftray.exe mpfui.dll mpfupdchk.dll mpfwizard.exe mvtx.exe dunzip32.dll mcappins.exe mcinfo.exe mghtml.exe 804mbd1.chk 804mbd1.img appinit.ini ashldres.dll edisk.dll emscnres.dll ftscnres.dll imscnbin.inf imscnres.inf mcavtsub.dll mcmnhdlr.exe mcscan32.dll mcshield.exe mcurial.dll mcvsctl.dll mcvsescn.exe mcvsftsn.exe mcvsmap.exe mcvsrte.exe mcvsscrp.dll mcvsshl.dll mcvsshld.exe mcvsskt.dll mcvsworm.dll naiann.dll naievent.dll ntclient.dll outscan.dll outscres.dll patchw32.dll scan.dat scanserv.dll scrpres.dll scrpsbin.inf scrstres.inf shextbin.inf shextres.inf shlres.dll vsagntui.dll mcshield.dll vsoui.dll vsoupd.dll vsowow.dll wormres.dll alert.zap email.zap filter.zap firewall.zap framewrk.dll idlock.zap programs.zap security.zap tutorwiz.dll zatutor.exe zauninst.exe zav.zap zlclient.exe zl_priv.htm zonealarm.exe camupd.dll cerbprovider.pvx ssleay32.dll vsavpro.dll vsdb.dll vsmon.exe vsruledb.dll vsvault.dll zlparser.dll aboutplg.dll apwcmdnt.dll apwutil.dll avcompbr.dll avres.dll bootwarn.exe ccavmail.dll ccimscan.dll ccimscn.exe cfgwiz.exe cfgwzres.dll defalert.dll djsalert.dll ltchkres.dll n32call.dll n32exclu.dll navap32.dll navapscr.dll navapsvc.exe navapw32.dll navapw32.exe navcfgwz.dll navcomui.dll naverror.dll navevent.dll navlcom.dll navlnch.dll navlogv.dll navlucbk.dll navntutl.dll navoptrf.dll navopts.dll navprod.dll navshext.dll navstats.dll navstub.exe navtasks.dll navtskwz.dll navui.dll navui.nsi navuihtm.dll navw32.exe navwnt.exe netbrext.dll oeheur.dll officeav.dll opscan.exe patch25d.dll probegse.dll ptchinst.dll qconres.dll qconsole.exe qspak32.dll quar32.dll quarantine quaropts.dat s32integ.dll s32navo.dll savrt.sys savrt32.dll savrtpel.sys savscan.exe scandlvr.dll scandres.dll scanmgr.dll scriptui.dll sdpck32i.dll sdsnd32i.dll sdsok32i.dll sdstp32i.dll statushp.dll symnavo.dll ashavast.exe ashbug.exe ashchest.exe ashdisp.exe ashlogv.exe ashmaisv.exe ashpopwz.exe ashquick.exe ashserv.exe ashsimpl.exe ashskpcc.exe ashskpck.exe aswboot.exe aswregsvr.exe aswupdsv.exe sched.exe persfw.exe pfwadmin.exe
Also the worm deletes all services that are associated with the files listed above.