W32/Bagle-H

Please follow the instructions for removing W32/Bagle-H.

NOTE: W32/Bagle-H sends itself as a password protected ZIP file that is detected as W32/Bagle-Zip.

W32/Bagle-H is an email worm which sends itself via its own SMTP engine to
addresses harvested from your hard disk. The worm searches for files
with the extensions WAB, TXT, HTM, XML, DBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, ADB, TBB and SHT and uses the files to extract the
recipient and the sender email addresses (therefore the sender email address is spoofed) .

When run the worm copies itself to the Windows system folder as i11r54n4.exe and creates the following files in the same folder:

i1i5n1j4.exe - a DLL plugin used to load go154o.exe
go154o.exe - the main DLL component of the worm
i11r54n4.EXEOPEN - a copy of the worm in a password protected ZIP format

W32/Bagle-H adds the value:

rate.exe = <SYSTEM>\i11r54n4.exe
to the registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This means that W32/Bagle-H runs every time you logon to your computer.

Emails have the following characteristics:

Subject lines:

Hokki =)
Weah, hello! :-)
Weeeeee! :)))
Hi! :-)
:-)
:)
ello! =))
Hey, ya! =))
^_^ meay-meay!
^_^ mew-mew (-:
Hey, dude, it's me ^_^ :P

Message text:

Randomly constructed from one of the following sentences:

Argh, i don't like the plaintext :)
I don't bite, weah!
Looking forward for a response :P

and

archive password: <random_password_for_the_zip_archive>
password: <random_password_for_the_zip_archive>
password -- <random_password_for_the_zip_archive>
pass: <random_password_for_the_zip_archive>
<random_password_for_the_zip_archive> -- archive password
...btw, "<random_password_for_the_zip_archive>" is a password for archive
password for archive: <random_password_for_the_zip_archive>

Attached file (extension ZIP):

Attach
TextDocument
Readme
Msg
MsgInfo
Document
Info
AttachedFile
AttachedDocument
TextDocument
Text
TextFile
Letter
MoreInfo
Message

W32/Bagle-H opens up a backdoor on port 2745 and listens for connections.
If an appropriate command is received the worm attempts to download and execute a file. W32/Bagle-H also makes a web connection to a remote URL, thus reporting the location and open port of infected computers.

W32/Bagle-H attempts to terminate several anti-virus and security related
processes:

ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE

W32/Bagle-H searches the mapped drives for the folders containing the string "shar" in the folder name. If such a folder is found, the worm copies itself to the folder using the following filenames:

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno Screensaver.scr
Porno pics arhive, xxx.exe
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

If the date is after 25 March 2005, W32/Bagle-H terminates itself and deletes
all the registry entries it created when it first ran.