W32/Bagz.D@mm

description-logoAnalysis

  • Creates a copy of itself to the System folder as sysboot.doc[SPACES].exe.
    Note: [SPACES] refers to several space characters.
  • Drops the following files to the System folder:
    • run32.exe : a component of the worm which Fortinet detects as W32/Growom.B!tr
    • rpc32.exe : a component of the worm which Fortinet detects as W32/Bagz.C@mm
    • jobdb.dll : data file used by the worm. This is not malicious.
    • ipdb.dll : data file used by the worm. This is not malicious.
    • wdate.dll : data file used by the worm. This is not malicious.

    Autostart Mechanism
  • Creates the service RPC32  with the following properties:
    Display Name: Network Explorer
    Image Path: undefinedSYSTEMundefined\rpc32.exe
    Description: Starts and configures accessibility tools from one window

    Email Propagation
  • The virus harvests email addresses from the Windows Address Book and from files with one of these extensions:
    • .TBB
    • .tbb
    • .TBI
    • .tbi
    • .DBX
    • .dbx
    • .HTM
    • .htm
    • .TXT
    • .txt

  • Uses its own SMTP engine to send itself to those addresses.
  • Avoids sending a copy of itself to email addresses that contain any of the following strings:
    • winzip
    • winrar
    • webmaster@
    • update
    • unix
    • support@
    • support
    • spam
    • sopho
    • samples
    • root@
    • rating@
    • postmaster@
    • pgp
    • panda
    • ntivi
    • noreply
    • noone@
    • nobody@
    • news
    • netadmin@
    • local
    • listserv
    • linux
    • kasp
    • info@
    • icrosoft
    • hostmaster@
    • help@
    • google
    • gold-certs@
    • gold-
    • free-av
    • feste
    • f-secur
    • contract@
    • contact@
    • certs@
    • certific
    • cafee
    • bugs@
    • bsd
    • anyone@
    • all@
    • administrator@
    • admin
    • abuse
    • @microsoft
    • @messagelab
    • @iana
    • @foo
    • @avp

  • The email has the following characteristics:
    Subject: one of the following:
    • ASAP
    • please responce
    • Read this
    • urgent
    • toxic
    • contract
    • Money
    • office
    • Have a nice day
    • Hello
    • Russian's
    • Amirecans
    • attachments
    • attach
    • waiting
    • best regards
    • Administrator
    • Warning
    • text
    • Vasia
    • re: Andrey
    • re: please
    • re: order
    • Allert!

    Message Body: one of the following:
    Hi
    Did you get the previous document I attached for you?
    I resent it in this email just in case, because I
    really need you to check it out asap.
    Best Regards
    Hi
    I made a mistake and forgot to click attach
    on the previous email I sent you. Please give me
    your opinion on this opportunity when you get a chance.
    Best Regards
    Hi
    I was supposed to send you this document yesterday.
    Sorry for the delay, please forward this to your family if possible.
    It contains important info for both of you.
    Attachment: One of the following:
    • backup.zip
    • admin.zip
    • archivator.zip
    • about.zip
    • readme.zip
    • help.zip
    • photos.zip
    • payment.zip
    • archives.zip
    • manual.zip
    • inbox.zip
    • outbox.zip
    • save.zip
    • rar.zip
    • zip.zip
    • ataches.zip
    • documentation.zip
    • docs.zip
    • backup.doc[SPACES].exe
    • admin.doc[SPACES].exe
    • archivator.doc[SPACES].exe
    • about.doc[SPACES].exe
    • readme.doc[SPACES].exe
    • help.doc[SPACES].exe
    • photos.doc[SPACES].exe
    • payment.doc[SPACES].exe
    • archives.doc[SPACES].exe
    • manual.doc[SPACES].exe
    • inbox.doc[SPACES].exe
    • outbox.doc[SPACES].exe
    • save.doc[SPACES].exe
    • rar.doc[SPACES].exe
    • zip.doc[SPACES].exe
    • ataches.doc[SPACES].exe
    • documentation.doc[SPACES].exe
    • docs.doc[SPACES].exe
    • sysboot.doc[SPACES].exe

    Note: [SPACES] refers to several space characters.
    Backdoor/Trojan Behavior
  • Prevents the infected system from connecting to update servers and various other security related web pages by adding the following to the local HOSTS file:
    127.0.0.1 ad.doubleclick.net
    127.0.0.1 ad.fastclick.net
    127.0.0.1 ads.fastclick.net
    127.0.0.1 ar.atwola.com
    127.0.0.1 atdmt.com
    127.0.0.1 avp.ch
    127.0.0.1 avp.com
    127.0.0.1 avp.ru
    127.0.0.1 awaps.net
    127.0.0.1 banner.fastclick.net
    127.0.0.1 banners.fastclick.net
    127.0.0.1 ca.com
    127.0.0.1 click.atdmt.com
    127.0.0.1 clicks.atdmt.com
    127.0.0.1 dispatch.mcafee.com
    127.0.0.1 download.mcafee.com
    127.0.0.1 download.microsoft.com
    127.0.0.1 downloads.microsoft.com
    127.0.0.1 engine.awaps.net
    127.0.0.1 f-secure.com
    127.0.0.1 fastclick.net
    127.0.0.1 ftp.f-secure.com
    127.0.0.1 ftp.sophos.com
    127.0.0.1 go.microsoft.com
    127.0.0.1 liveupdate.symantec.com
    127.0.0.1 mast.mcafee.com
    127.0.0.1 mcafee.com
    127.0.0.1 media.fastclick.net
    127.0.0.1 msdn.microsoft.com
    127.0.0.1 my-etrust.com
    127.0.0.1 nai.com
    127.0.0.1 networkassociates.com
    127.0.0.1 office.microsoft.com
    127.0.0.1 phx.corporate-ir.net
    127.0.0.1 secure.nai.com
    127.0.0.1 securityresponse.symantec.com
    127.0.0.1 service1.symantec.com
    127.0.0.1 sophos.com
    127.0.0.1 spd.atdmt.com
    127.0.0.1 support.microsoft.com
    127.0.0.1 symantec.com
    127.0.0.1 vupdate.symantec.com
    127.0.0.1 updates.symantec.com
    127.0.0.1 us.mcafee.com
    127.0.0.1 vil.nai.com
    127.0.0.1 viruslist.ru
    127.0.0.1 windowsupdate.microsoft.com
    127.0.0.1 www.avp.ch
    127.0.0.1 www.avp.com
    127.0.0.1 www.avp.ru
    127.0.0.1 www.awaps.net
    127.0.0.1 www.ca.com
    127.0.0.1 www.f-secure.com
    127.0.0.1 www.fastclick.net
    127.0.0.1 www.kaspersky.ru
    127.0.0.1 www.mcafee.com
    127.0.0.1 www.my-etrust.com
    127.0.0.1 www.nai.com
    127.0.0.1 www.networkassociates.com
    127.0.0.1 www.sophos.com
    127.0.0.1 www.symantec.com
    127.0.0.1 www.trendmicro.com
    127.0.0.1 www.viruslist.ru
    127.0.0.1 www3.ca.com
  • Attempts to delete all the registry values that contain one of the following strings:
    • pfwadmin.exe
    • persfw.exe
    • sched.exe
    • aswupdsv.exe
    • aswregsvr.exe
    • aswboot.exe
    • ashskpck.exe
    • ashskpcc.exe
    • ashsimpl.exe
    • ashserv.exe
    • ashquick.exe
    • ashpopwz.exe
    • ashmaisv.exe
    • ashlogv.exe
    • ashdisp.exe
    • ashchest.exe
    • ashbug.exe
    • ashavast.exe
    • symnavo.dll
    • statushp.dll
    • sdstp32i.dll
    • sdsok32i.dll
    • sdsnd32i.dll
    • sdpck32i.dll
    • scriptui.dll
    • scanmgr.dll
    • scandres.dll
    • scandlvr.dll
    • savscan.exe
    • savrtpel.sys
    • savrt32.dll
    • savrt.sys
    • s32navo.dll
    • s32integ.dll
    • quaropts.dat
    • quarantine
    • quar32.dll
    • qspak32.dll
    • qconsole.exe
    • qconres.dll
    • ptchinst.dll
    • probegse.dll
    • patch25d.dll
    • opscan.exe
    • officeav.dll
    • oeheur.dll
    • netbrext.dll
        :
        :

recommended-action-logoRecommended Action

    FortiGate systems:
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2023-01-17 90.09734
2022-12-12 90.08677