Bagle

Aliases

• Beagle
• Mitglieder
• Lodeight

Comments

Bagle has been around since early 2004 when it first appeared as a mass-mailing worm. Since then, Bagle has had hundreds of variants and its behaviour is evolving. Today, a Bagle bot acts as a proxy to relay spam messages to the final destination. Spam varies depending on the control server that is relaying the spam.

Features

• Acts as proxy to relay spam messages
• Listens on varying ports and waits for connections

Spamming Rate

• Varies depending on the relaying control server.

Command and Control

Bagle connects to a list of hardcoded URLs:

http://balancedintelligence.com
http://forrodesejomusical.com.br
http://banyuls.dk
http://baptistellanet.t5.com.br
http://barisguvenlik.com
http://barry.triode.net.au
http://base-online.hu
http://bassanoromano.altervista.org
http://batory.home.pl
http://bayonpearnik.com
http://bazarmusic.com
http://bblog.altervista.org
http://beachrugbyfestival.com
http://www.beaupersonalstyling.be
http://beautywoman.sk
http://bebelectronics.com
http://beeinside.com
http://beerleplanet.be.funpic.de
http://beetpop.nl
http://behappybuffet.com.br
http://belgabootlegs.be
http://bellitalia.dk

It sends an HTTP request and reports back its current bot status such as the port number it is listening to and the bot identification number:

Bagle also downloads an encrypted file from one of the following URLs:

http://la-cachette.com/images/file.txt
http://turnstylesticketing.com/images/file.txt
http://www.belteh.ru/images/ludi/file.txt
http://www.bmblawfirm.com/images/file.txt
http://berlin.dveribg.net/images/file.txt
http://bernardinum.home.pl/images/file.txt
http://berrogainymorte.com/images/file.txt
http://berthoncentrebois.fr/images/file.txt
http://www.bertoniimpianti.it/images/file.txt
http://bertrand-habitat.fr/images/file.txt
http://bestelbebek.com/images/file.txt
http://www.bestfoto.cz/images/file.txt
http://bestmiamibeach.com/images/file.txt
http://bestsoft.com.ar/images/file.txt
http://alumetalsystem.com/images/file.txt
http://www.bewitch.it/images/file.txt
http://3bgconsult.com/images/file.txt
http://bg-fen.com/images/file.txt
http://bgpages.info/images/file.txt
http://hotelbiagi.com/images/file.txt
http://bibliovaldinon.it/images/file.txt
http://bici-shop.com/images/file.txt
http://bigdarchiv.de/images/file.txt
http://BIGDAYBREAKER.com/images/file.txt
http://poempoem.com/images/file.txt
http://barjos.be/images/file.txt
http://billard-88.ch/images/file.txt
http://animagic.gr/images/file.txt
http://neveryonnzz.ws/images/file.txt
http://bingolandia.org/images/file.txt
http://binka.pl/images/file.txt
http://biomorphdesk.com/images/file.txt
http://bionysos.org/images/file.txt
http://biorem.it/images/file.txt
http://bipolarplanet.com/images/file.txt

The encrypted file is saved as BAN_LIST.TXT in the Windows system folder. 

Bagle acts as a spam proxy. It listens at port 20641 (port number varies for different bots) where it receives commands and spam messages from a control server.  Spam emails are then relayed to their final destination.

Malware Behavior on Host

Bagle drops a copy of itself in Windows system folder (e.g. C:\Windows\System32) using the filenames:

• C:\WINDOWS\system32\mdelk.exe
• C:\WINDOWS\system32\wintems.exe 

To survive, it adds an autorun registry to start the Bagle bot upon windows startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• german.exe = "C:\WINDOWS\system32\wintems.exe"

A registry key was also created where Bagle configuration is stored:

• HKEY_CURRENT_USER\Software\DateTime4

• uid =  <random bot ID>

• port =  <port where the bot is listening to>

• wdrn = dword:00000001

In addition, Bagle creates a mutex named "555" that marks as its infection marker in the system. It intermittently sends a SYN request to Google.com to check for internet connectivity.