Skip navigation.
Home

W32/Bagle.Z alias W32/Bagle.AB Analysis

|

W32/Bagle.AB (nod32) alias W32/Bagle.Z@mm (f-prot).

Analysis : asmatx[\at/] YAH00[?] Fr

W32/Bagle.AB is an internet worm that's spreads via email and P2P.

When first run, W32/Bagle.AB will copy itself in the following folder:
[windir]\system32\drvddll.exe
[windir]\system32\drvddll.exeopen
[windir]\system32\drvddll.exeopenopen
where [windir] is the windows directory.

Registry change:
The following registry entry is set so the worm could start automatically at startup :
'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
'drvddll.exe'
'[Windir]\system32\drvddll.exe'

The worm will then check if the registry contains the following entries and will delete them:
'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'

Deletes registry with following entries:

'My AV'
'Zone Labs Client Ex'
'9XHtProtect'
'Antivirus'
'Special Firewall Service'
'service'
'Tiny AV'
'ICQNet'
'HtProtect'
'NetDy'
'Jammer2nd'
'FirewallSvr'
'MsInfo'
'SysMonXP'
'EasyAV'
'PandaAVEngine'
'Norton Antivirus AV'
'KasperskyAVEng'
'SkynetsRevenge'
'ICQ Net'

Kills all running AV with the following process name:

; char Srch[]
.data:00407047 Srch db 'OUTPOST.EXE',0 ; DATA XREF: sub_401B2C+39o
.data:00407053 aNmain_exe db 'NMAIN.EXE',0
.data:0040705D aNorton_interne db 'NORTON_INTERNET_SECU_3.0_407.EXE',0
.data:0040707E aNpf40_tw_98_nt db 'NPF40_TW_98_NT_ME_2K.EXE',0
.data:00407097 aNpfmessenger_e db 'NPFMESSENGER.EXE',0
.data:004070A8 aNprotect_exe db 'NPROTECT.EXE',0
.data:004070B5 aNsched32_exe db 'NSCHED32.EXE',0
.data:004070C2 aNtvdm_exe db 'NTVDM.EXE',0
.data:004070CC aNvarch16_exe db 'NVARCH16.EXE',0
.data:004070D9 aKerioWrp421EnW db 'KERIO-WRP-421-EN-WIN.EXE',0
.data:004070F2 aKillprocessset db 'KILLPROCESSSETUP161.EXE',0
.data:0040710A aLdpro_exe db 'LDPRO.EXE',0
.data:00407114 aLocalnet_exe db 'LOCALNET.EXE',0
.data:00407121 aLockdown_exe db 'LOCKDOWN.EXE',0
.data:0040712E aLockdown2000_e db 'LOCKDOWN2000.EXE',0
.data:0040713F aLsetup_exe db 'LSETUP.EXE',0
.data:0040714A aCleanpc_exe db 'CLEANPC.EXE',0
.data:00407156 aAvprotect9x_ex db 'AVprotect9x.exe',0
.data:00407166 aCmgrdian_exe db 'CMGRDIAN.EXE',0
.data:00407173 aCmon016_exe db 'CMON016.EXE',0
.data:0040717F aCpf9x206_exe db 'CPF9X206.EXE',0
.data:0040718C aCpfnt206_exe db 'CPFNT206.EXE',0
.data:00407199 aCv_exe db 'CV.EXE',0
.data:004071A0 aCwnb181_exe db 'CWNB181.EXE',0
.data:004071AC aCwntdwmo_exe db 'CWNTDWMO.EXE',0
.data:004071B9 aIcssuppnt_exe db 'ICSSUPPNT.EXE',0
.data:004071C7 aDefwatch_exe db 'DEFWATCH.EXE',0
.data:004071D4 aDeputy_exe db 'DEPUTY.EXE',0
.data:004071DF aDpf_exe db 'DPF.EXE',0
.data:004071E7 aDpfsetup_exe db 'DPFSETUP.EXE',0
.data:004071F4 aDrwatson_exe db 'DRWATSON.EXE',0
.data:00407201 aEnt_exe db 'ENT.EXE',0
.data:00407209 aEscanh95_exe db 'ESCANH95.EXE',0
.data:00407216 aAvxquar_exe db 'AVXQUAR.EXE',0
.data:00407222 aEscanhnt_exe db 'ESCANHNT.EXE',0
.data:0040722F aEscanv95_exe db 'ESCANV95.EXE',0
.data:0040723C aAvpupd_exe db 'AVPUPD.EXE',0
.data:00407247 aExantivirusCne db 'EXANTIVIRUS-CNET.EXE',0
.data:0040725C aFast_exe db 'FAST.EXE',0
.data:00407265 aFirewall_exe db 'FIREWALL.EXE',0
.data:00407272 aFlowprotector_ db 'FLOWPROTECTOR.EXE',0
.data:00407284 aFpWin_trial_ex db 'FP-WIN_TRIAL.EXE',0
.data:00407295 aFrw_exe db 'FRW.EXE',0
.data:0040729D aFsav_exe db 'FSAV.EXE',0
.data:004072A6 aAutodown_exe db 'AUTODOWN.EXE',0
.data:004072B3 aFsav530stbyb_e db 'FSAV530STBYB.EXE',0
.data:004072C4 aFsav530wtbyb_e db 'FSAV530WTBYB.EXE',0
.data:004072D5 aFsav95_exe db 'FSAV95.EXE',0
.data:004072E0 aGbmenu_exe db 'GBMENU.EXE',0
.data:004072EB aGbpoll_exe db 'GBPOLL.EXE',0
.data:004072F6 aGuard_exe db 'GUARD.EXE',0
.data:00407300 aGuarddog_exe db 'GUARDDOG.EXE',0
.data:0040730D aHacktracersetu db 'HACKTRACERSETUP.EXE',0
.data:00407321 aHtlog_exe db 'HTLOG.EXE',0
.data:0040732B aHwpe_exe db 'HWPE.EXE',0
.data:00407334 aIamapp_exe db 'IAMAPP.EXE',0
.data:0040733F aIamapp_exe_0 db 'IAMAPP.EXE',0
.data:0040734A aIamserv_exe db 'IAMSERV.EXE',0
.data:00407356 aIcload95_exe db 'ICLOAD95.EXE',0
.data:00407363 aIcloadnt_exe db 'ICLOADNT.EXE',0
.data:00407370 aIcmon_exe db 'ICMON.EXE',0
.data:0040737A aIcsupp95_exe db 'ICSUPP95.EXE',0
.data:00407387 aIcsuppnt_exe db 'ICSUPPNT.EXE',0
.data:00407394 aIfw2000_exe db 'IFW2000.EXE',0
.data:004073A0 aIparmor_exe db 'IPARMOR.EXE',0
.data:004073AC aIris_exe db 'IRIS.EXE',0
.data:004073B5 aJammer_exe db 'JAMMER.EXE',0
.data:004073C0 aAtupdater_exe db 'ATUPDATER.EXE',0
.data:004073CE aAupdate_exe db 'AUPDATE.EXE',0
.data:004073DA aKavlite40eng_e db 'KAVLITE40ENG.EXE',0
.data:004073EB aKavpers40eng_e db 'KAVPERS40ENG.EXE',0
.data:004073FC aKerioPf213EnWi db 'KERIO-PF-213-EN-WIN.EXE',0
.data:00407414 aKerioWrl421EnW db 'KERIO-WRL-421-EN-WIN.EXE',0
.data:0040742D aBorg2_exe db 'BORG2.EXE',0
.data:00407437 aBs120_exe db 'BS120.EXE',0
.data:00407441 aCdp_exe db 'CDP.EXE',0
.data:00407449 aCfgwiz_exe db 'CFGWIZ.EXE',0
.data:00407454 aCfiadmin_exe db 'CFIADMIN.EXE',0
.data:00407461 aCfiaudit_exe db 'CFIAUDIT.EXE',0
.data:0040746E aAutoupdate_exe db 'AUTOUPDATE.EXE',0
.data:0040747D aCfinet_exe db 'CFINET.EXE',0
.data:00407488 aNavapw32_exe db 'NAVAPW32.EXE',0
.data:00407495 aNavdx_exe db 'NAVDX.EXE',0
.data:0040749F aNavstub_exe db 'NAVSTUB.EXE',0
.data:004074AB aNavw32_exe db 'NAVW32.EXE',0
.data:004074B6 aNc2000_exe db 'NC2000.EXE',0
.data:004074C1 aNcinst4_exe db 'NCINST4.EXE',0
.data:004074CD aAutotrace_exe db 'AUTOTRACE.EXE',0
.data:004074DB aNdd32_exe db 'NDD32.EXE',0
.data:004074E5 aNeomonitor_exe db 'NEOMONITOR.EXE',0
.data:004074F4 aNetarmor_exe db 'NETARMOR.EXE',0
.data:00407501 aNetinfo_exe db 'NETINFO.EXE',0
.data:0040750D aNetmon_exe db 'NETMON.EXE',0
.data:00407518 aNetscanpro_exe db 'NETSCANPRO.EXE',0
.data:00407527 aNetspyhunter1_ db 'NETSPYHUNTER-1.2.EXE',0
.data:0040753C aNetstat_exe db 'NETSTAT.EXE',0
.data:00407548 aNisserv_exe db 'NISSERV.EXE',0
.data:00407554 aNisum_exe db 'NISUM.EXE',0
.data:0040755E aCfiaudit_exe_0 db 'CFIAUDIT.EXE',0
.data:0040756B aLucomserver_ex db 'LUCOMSERVER.EXE',0
.data:0040757B aAgentsvr_exe db 'AGENTSVR.EXE',0
.data:00407588 aAntiTrojan_exe db 'ANTI-TROJAN.EXE',0
.data:00407598 aAntiTrojan_e_0 db 'ANTI-TROJAN.EXE',0
.data:004075A8 aAntivirus_exe db 'ANTIVIRUS.EXE',0
.data:004075B6 aAnts_exe db 'ANTS.EXE',0
.data:004075BF aApimonitor_exe db 'APIMONITOR.EXE',0
.data:004075CE aAplica32_exe db 'APLICA32.EXE',0
.data:004075DB aApvxdwin_exe db 'APVXDWIN.EXE',0
.data:004075E8 aAtcon_exe db 'ATCON.EXE',0
.data:004075F2 aAtguard_exe db 'ATGUARD.EXE',0
.data:004075FE aAtro55en_exe db 'ATRO55EN.EXE',0
.data:0040760B aAtwatch_exe db 'ATWATCH.EXE',0
.data:00407617 aAvconsol_exe db 'AVCONSOL.EXE',0
.data:00407624 aAvgserv9_exe db 'AVGSERV9.EXE',0
.data:00407631 aAvsynmgr_exe db 'AVSYNMGR.EXE',0
.data:0040763E aBd_professiona db 'BD_PROFESSIONAL.EXE',0
.data:00407652 aBidef_exe db 'BIDEF.EXE',0
.data:0040765C aBidserver_exe db 'BIDSERVER.EXE',0
.data:0040766A aBipcp_exe db 'BIPCP.EXE',0
.data:00407674 aBipcpevalsetup db 'BIPCPEVALSETUP.EXE',0
.data:00407687 aBisp_exe db 'BISP.EXE',0
.data:00407690 aBlackd_exe db 'BLACKD.EXE',0
.data:0040769B aBlackice_exe db 'BLACKICE.EXE',0
.data:004076A8 aBootwarn_exe db 'BOOTWARN.EXE',0
.data:004076B5 aNwinst4_exe db 'NWINST4.EXE',0
.data:004076C1 aNwtool16_exe db 'NWTOOL16.EXE',0
.data:004076CE aOstronet_exe db 'OSTRONET.EXE',0
.data:004076DB aOutpostinstall db 'OUTPOSTINSTALL.EXE',0
.data:004076EE aOutpostproinst db 'OUTPOSTPROINSTALL.EXE',0
.data:00407704 aPadmin_exe db 'PADMIN.EXE',0
.data:0040770F aPanixk_exe db 'PANIXK.EXE',0
.data:0040771A aPavproxy_exe db 'PAVPROXY.EXE',0
.data:00407727 aDrwebupw_exe db 'DRWEBUPW.EXE',0
.data:00407734 aPcc2002s902_ex db 'PCC2002S902.EXE',0
.data:00407744 aPcc2k_76_1436_ db 'PCC2K_76_1436.EXE',0
.data:00407756 aPcciomon_exe db 'PCCIOMON.EXE',0
.data:00407763 aPcdsetup_exe db 'PCDSETUP.EXE',0
.data:00407770 aPcfwallicon_ex db 'PCFWALLICON.EXE',0
.data:00407780 aPcfwallicon__0 db 'PCFWALLICON.EXE',0
.data:00407790 aPcip10117_0_ex db 'PCIP10117_0.EXE',0
.data:004077A0 aPdsetup_exe db 'PDSETUP.EXE',0
.data:004077AC aPeriscope_exe db 'PERISCOPE.EXE',0
.data:004077BA aPersfw_exe db 'PERSFW.EXE',0
.data:004077C5 aPf2_exe db 'PF2.EXE',0
.data:004077CD aAvltmain_exe db 'AVLTMAIN.EXE',0
.data:004077DA aPfwadmin_exe db 'PFWADMIN.EXE',0
.data:004077E7 aPingscan_exe db 'PINGSCAN.EXE',0
.data:004077F4 aPlatin_exe db 'PLATIN.EXE',0
.data:004077FF aPoproxy_exe db 'POPROXY.EXE',0
.data:0040780B aPopscan_exe db 'POPSCAN.EXE',0
.data:00407817 aPortdetective_ db 'PORTDETECTIVE.EXE',0
.data:00407829 aPpinupdt_exe db 'PPINUPDT.EXE',0
.data:00407836 aDrvsys_exe db 'drvsys.exe',0
.data:00407841 aPptbc_exe db 'PPTBC.EXE',0
.data:0040784B aPpvstop_exe db 'PPVSTOP.EXE',0
.data:00407857 aProcexplorerv1 db 'PROCEXPLORERV1.0.EXE',0
.data:0040786C aProport_exe db 'PROPORT.EXE',0
.data:00407878 aProtectx_exe db 'PROTECTX.EXE',0
.data:00407885 aPspf_exe db 'PSPF.EXE',0
.data:0040788E aWgfe95_exe db 'WGFE95.EXE',0
.data:00407899 aWhoswatchingme db 'WHOSWATCHINGME.EXE',0
.data:004078AC aAvwupd32_exe db 'AVWUPD32.EXE',0
.data:004078B9 aNupgrade_exe db 'NUPGRADE.EXE',0
.data:004078C6 aWhoswatching_0 db 'WHOSWATCHINGME.EXE',0
.data:004078D9 aWinrecon_exe db 'WINRECON.EXE',0
.data:004078E6 aWnt_exe db 'WNT.EXE',0
.data:004078EE aWradmin_exe db 'WRADMIN.EXE',0
.data:004078FA aWrctrl_exe db 'WRCTRL.EXE',0
.data:00407905 aWsbgate_exe db 'WSBGATE.EXE',0
.data:00407911 aWyvernworksfir db 'WYVERNWORKSFIREWALL.EXE',0
.data:00407929 aXpf202en_exe db 'XPF202EN.EXE',0
.data:00407936 aZapro_exe db 'ZAPRO.EXE',0
.data:00407940 aZapsetup3001_e db 'ZAPSETUP3001.EXE',0
.data:00407951 aZatutor_exe db 'ZATUTOR.EXE',0
.data:0040795D aCfinet32_exe db 'CFINET32.EXE',0
.data:0040796A aClean_exe db 'CLEAN.EXE',0
.data:00407974 aCleaner_exe db 'CLEANER.EXE',0
.data:00407980 aCleaner3_exe db 'CLEANER3.EXE',0
.data:0040798D aCleanpc_exe_0 db 'CLEANPC.EXE',0
.data:00407999 aCmgrdian_exe_0 db 'CMGRDIAN.EXE',0
.data:004079A6 aCmon016_exe_0 db 'CMON016.EXE',0
.data:004079B2 aCpd_exe db 'CPD.EXE',0
.data:004079BA aCfgwiz_exe_0 db 'CFGWIZ.EXE',0
.data:004079C5 aCfiadmin_exe_0 db 'CFIADMIN.EXE',0
.data:004079D2 aPurge_exe db 'PURGE.EXE',0
.data:004079DC aPview95_exe db 'PVIEW95.EXE',0
.data:004079E8 aQconsole_exe db 'QCONSOLE.EXE',0
.data:004079F5 aQserver_exe db 'QSERVER.EXE',0
.data:00407A01 aRav8win32eng_e db 'RAV8WIN32ENG.EXE',0
.data:00407A12 aRegedt32_exe db 'REGEDT32.EXE',0
.data:00407A1F aRegedit_exe db 'REGEDIT.EXE',0
.data:00407A2B aUpdate_exe db 'UPDATE.EXE',0
.data:00407A36 aRescue_exe db 'RESCUE.EXE',0
.data:00407A41 aRescue32_exe db 'RESCUE32.EXE',0
.data:00407A4E aRrguard_exe db 'RRGUARD.EXE',0
.data:00407A5A aRshell_exe db 'RSHELL.EXE',0
.data:00407A65 aRtvscn95_exe db 'RTVSCN95.EXE',0
.data:00407A72 aRulaunch_exe db 'RULAUNCH.EXE',0
.data:00407A7F aSafeweb_exe db 'SAFEWEB.EXE',0
.data:00407A8B aSbserv_exe db 'SBSERV.EXE',0
.data:00407A96 aSd_exe db 'SD.EXE',0
.data:00407A9D aSetup_flowprot db 'SETUP_FLOWPROTECTOR_US.EXE',0
.data:00407AB8 aSetupvameeval_ db 'SETUPVAMEEVAL.EXE',0
.data:00407ACA aSfc_exe db 'SFC.EXE',0
.data:00407AD2 aSgssfw32_exe db 'SGSSFW32.EXE',0
.data:00407ADF aSh_exe db 'SH.EXE',0
.data:00407AE6 aShellspyinstal db 'SHELLSPYINSTALL.EXE',0
.data:00407AFA aShn_exe db 'SHN.EXE',0
.data:00407B02 aSmc_exe db 'SMC.EXE',0
.data:00407B0A aSofi_exe db 'SOFI.EXE',0
.data:00407B13 aSpf_exe db 'SPF.EXE',0
.data:00407B1B aSphinx_exe db 'SPHINX.EXE',0
.data:00407B26 aSpyxx_exe db 'SPYXX.EXE',0
.data:00407B30 aSs3edit_exe db 'SS3EDIT.EXE',0
.data:00407B3C aSt2_exe db 'ST2.EXE',0
.data:00407B44 aSupftrl_exe db 'SUPFTRL.EXE',0
.data:00407B50 aLuall_exe db 'LUALL.EXE',0
.data:00407B5A aSupporter5_exe db 'SUPPORTER5.EXE',0
.data:00407B69 aSymproxysvc_ex db 'SYMPROXYSVC.EXE',0
.data:00407B79 aSysedit_exe db 'SYSEDIT.EXE',0
.data:00407B85 aTaskmon_exe db 'TASKMON.EXE',0
.data:00407B91 aTaumon_exe db 'TAUMON.EXE',0
.data:00407B9C aTauscan_exe db 'TAUSCAN.EXE',0
.data:00407BA8 aTc_exe db 'TC.EXE',0
.data:00407BAF aTca_exe db 'TCA.EXE',0
.data:00407BB7 aTcm_exe db 'TCM.EXE',0
.data:00407BBF aTds298_exe db 'TDS2-98.EXE',0
.data:00407BCB aTds2Nt_exe db 'TDS2-NT.EXE',0
.data:00407BD7 aTds3_exe db 'TDS-3.EXE',0
.data:00407BE1 aTfak5_exe db 'TFAK5.EXE',0
.data:00407BEB aTgbob_exe db 'TGBOB.EXE',0
.data:00407BF5 aTitanin_exe db 'TITANIN.EXE',0
.data:00407C01 aTitaninxp_exe db 'TITANINXP.EXE',0
.data:00407C0F aTracert_exe db 'TRACERT.EXE',0
.data:00407C1B aTrjscan_exe db 'TRJSCAN.EXE',0
.data:00407C27 aTrjsetup_exe db 'TRJSETUP.EXE',0
.data:00407C34 aTrojantrap3_ex db 'TROJANTRAP3.EXE',0
.data:00407C44 aUndoboot_exe db 'UNDOBOOT.EXE',0
.data:00407C51 aVbcmserv_exe db 'VBCMSERV.EXE',0
.data:00407C5E aVbcons_exe db 'VBCONS.EXE',0
.data:00407C69 aVbust_exe db 'VBUST.EXE',0
.data:00407C73 aVbwin9x_exe db 'VBWIN9X.EXE',0
.data:00407C7F aVbwinntw_exe db 'VBWINNTW.EXE',0
.data:00407C8C aVcsetup_exe db 'VCSETUP.EXE',0
.data:00407C98 aVfsetup_exe db 'VFSETUP.EXE',0
.data:00407CA4 aVirusmdpersona db 'VIRUSMDPERSONALFIREWALL.EXE',0
.data:00407CC0 aVnlan300_exe db 'VNLAN300.EXE',0
.data:00407CCD aVnpc3000_exe db 'VNPC3000.EXE',0
.data:00407CDA aVpc42_exe db 'VPC42.EXE',0
.data:00407CE4 aVpfw30s_exe db 'VPFW30S.EXE',0
.data:00407CF0 aVptray_exe db 'VPTRAY.EXE',0
.data:00407CFB aVscenu6_02d30_ db 'VSCENU6.02D30.EXE',0
.data:00407D0D aVsecomr_exe db 'VSECOMR.EXE',0
.data:00407D19 aVshwin32_exe db 'VSHWIN32.EXE',0
.data:00407D26 aVsisetup_exe db 'VSISETUP.EXE',0
.data:00407D33 aVsmain_exe db 'VSMAIN.EXE',0
.data:00407D3E aVsmon_exe db 'VSMON.EXE',0
.data:00407D48 aVsstat_exe db 'VSSTAT.EXE',0
.data:00407D53 aVswin9xe_exe db 'VSWIN9XE.EXE',0
.data:00407D60 aVswinntse_exe db 'VSWINNTSE.EXE',0
.data:00407D6E aVswinperse_exe db 'VSWINPERSE.EXE',0
.data:00407D7D aW32dsm89_exe db 'W32DSM89.EXE',0
.data:00407D8A aW9x_exe db 'W9X.EXE',0
.data:00407D92 aWatchdog_exe db 'WATCHDOG.EXE',0
.data:00407D9F aWebscanx_exe db 'WEBSCANX.EXE',0
.data:00407DAC aCfiaudit_exe_1 db 'CFIAUDIT.EXE',0
.data:00407DB9 aCfinet_exe_0 db 'CFINET.EXE',0
.data:00407DC4 aIcsupp95_exe_0 db 'ICSUPP95.EXE',0
.data:00407DD1 aMcupdate_exe db 'MCUPDATE.EXE',0
.data:00407DDE aCfinet32_exe_0 db 'CFINET32.EXE',0
.data:00407DEB aClean_exe_0 db 'CLEAN.EXE',0
.data:00407DF5 aCleaner_exe_0 db 'CLEANER.EXE',0
.data:00407E01 aLuinit_exe db 'LUINIT.EXE',0
.data:00407E0C aMcagent_exe db 'MCAGENT.EXE',0
.data:00407E18 aMcupdate_exe_0 db 'MCUPDATE.EXE',0
.data:00407E25 aMfw2en_exe db 'MFW2EN.EXE',0
.data:00407E30 aMfweng3_02d30_ db 'MFWENG3.02D30.EXE',0
.data:00407E42 aMgui_exe db 'MGUI.EXE',0
.data:00407E4B aMinilog_exe db 'MINILOG.EXE',0
.data:00407E57 aMoolive_exe db 'MOOLIVE.EXE',0
.data:00407E63 aMrflux_exe db 'MRFLUX.EXE',0
.data:00407E6E aMsconfig_exe db 'MSCONFIG.EXE',0
.data:00407E7B aMsinfo32_exe db 'MSINFO32.EXE',0
.data:00407E88 aMssmmc32_exe db 'MSSMMC32.EXE',0
.data:00407E95 aMu0311ad_exe db 'MU0311AD.EXE',0
.data:00407EA2 aNav80try_exe db 'NAV80TRY.EXE',0
.data:00407EAF aZauinst_exe db 'ZAUINST.EXE',0
.data:00407EBB aZonalm2601_exe db 'ZONALM2601.EXE',0
.data:00407ECA aZonealarm_exe db 'ZONEALARM.EXE',0
.data:00407ED8 db 0

The W32/Bagle.AB spreads via email. It has its own email engine using SMTP.
W32/Bagle.AB scans the local system to harvest email addresses and will send itself as an attachement to the found addresses.

W32/Bagle.AB will scan files with the following extension to harvest email addresses:
; char a_wab[]
.data:00409B31 a_wab db '.wab',0 ; DATA XREF: sub_404511+4o
.data:00409B36 a_txt db '.txt',0
.data:00409B3B a_msg db '.msg',0
.data:00409B40 a_htm db '.htm',0
.data:00409B45 a_shtm db '.shtm',0
.data:00409B4B a_stm db '.stm',0
.data:00409B50 a_xml db '.xml',0
.data:00409B55 a_dbx db '.dbx',0
.data:00409B5A a_mbx db '.mbx',0
.data:00409B5F a_mdx db '.mdx',0
.data:00409B64 a_eml db '.eml',0
.data:00409B69 a_nch db '.nch',0
.data:00409B6E a_mmf db '.mmf',0
.data:00409B73 a_ods db '.ods',0
.data:00409B78 a_cfg db '.cfg',0
.data:00409B7D a_asp db '.asp',0
.data:00409B82 a_php db '.php',0
.data:00409B87 a_pl db '.pl',0
.data:00409B8B a_wsh db '.wsh',0
.data:00409B90 a_adb db '.adb',0
.data:00409B95 a_tbb db '.tbb',0
.data:00409B9A a_sht db '.sht',0
.data:00409B9F a_xls db '.xls',0
.data:00409BA4 a_oft db '.oft',0
.data:00409BA9 a_uin db '.uin',0
.data:00409BAE a_cgi db '.cgi',0
.data:00409BB3 a_mht db '.mht',0
.data:00409BB8 a_dhtm db '.dhtm',0
.data:00409BBE a_jsp db '.jsp',0
.data:00409BC3 align 4
.data:00409BC4 ; char aShar[]

Email appears as coming randomly from one of the the following list:

; char a@microsoft[]
.data:004099F8 a@microsoft db '@microsoft',0 ; DATA XREF: sub_404424+4o
.data:00409A03 aRating@ db 'rating@',0
.data:00409A0B aFSecur db 'f-secur',0
.data:00409A13 aNews db 'news',0
.data:00409A18 aUpdate db 'update',0
.data:00409A1F aAnyone@ db 'anyone@',0
.data:00409A27 aBugs@ db 'bugs@',0
.data:00409A2D aContract@ db 'contract@',0
.data:00409A37 aFeste db 'feste',0
.data:00409A3D aGoldCerts@ db 'gold-certs@',0
.data:00409A49 aHelp@ db 'help@',0
.data:00409A4F aInfo@ db 'info@',0
.data:00409A55 aNobody@ db 'nobody@',0
.data:00409A5D aNoone@ db 'noone@',0
.data:00409A64 aKasp db 'kasp',0
.data:00409A69 aAdmin db 'admin',0
.data:00409A6F aIcrosoft db 'icrosoft',0
.data:00409A78 aSupport db 'support',0
.data:00409A80 aNtivi db 'ntivi',0
.data:00409A86 aUnix db 'unix',0
.data:00409A8B aBsd db 'bsd',0
.data:00409A8F aLinux db 'linux',0
.data:00409A95 aListserv db 'listserv',0
.data:00409A9E aCertific db 'certific',0
.data:00409AA7 aSopho db 'sopho',0
.data:00409AAD a@foo db '@foo',0
.data:00409AB2 a@iana db '@iana',0
.data:00409AB8 aFreeAv db 'Free-av',0
.data:00409AC0 a@messagelab db '@messagelab',0
.data:00409ACC aWinzip db 'winzip',0
.data:00409AD3 aGoogle db 'google',0
.data:00409ADA aWinrar db 'winrar',0
.data:00409AE1 aSamples db 'samples',0
.data:00409AE9 aAbuse db 'abuse',0
.data:00409AEF aPanda db 'panda',0
.data:00409AF5 aCafee db 'cafee',0
.data:00409AFB aSpam db 'spam',0
.data:00409B00 aPgp db 'pgp',0
.data:00409B04 a@avp_ db '@avp.',0
.data:00409B0A aNoreply db 'noreply',0
.data:00409B12 aLocal db 'local',0
.data:00409B18 aRoot@ db 'root@',0
.data:00409B1E aPostmaster@ db 'postmaster@',0

random email subjects:
recieved email have one of the following sybject:

.data:0040A0D7 aReMsgReply db 'Re: Msg reply',0 ; DATA XREF: sub_404829+5o
.data:0040A0E5 aReHello db 'Re: Hello',0
.data:0040A0EF aReYahoo db 'Re: Yahoo!',0
.data:0040A0FA aReThankYou db 'Re: Thank you!',0
.data:0040A109 aReThanks db 'Re: Thanks :)',0
.data:0040A117 aReTextMessage db 'RE: Text message',0
.data:0040A128 aReDocument db 'Re: Document',0
.data:0040A135 aIncomingMessag db 'Incoming message',0
.data:0040A146 aReIncomingMess db 'Re: Incoming Message',0
.data:0040A15B aReIncomingMsg db 'RE: Incoming Msg',0
.data:0040A16C aReMessageNotif db 'RE: Message Notify',0
.data:0040A17F aNotification db 'Notification',0
.data:0040A18C aChanges__ db 'Changes..',0
.data:0040A196 aNewChanges db 'New changes',0
.data:0040A1A2 aHiddenMessage db 'Hidden message',0
.data:0040A1B1 aFaxMessageRece db 'Fax Message Received',0
.data:0040A1C6 aProtectedMessa db 'Protected message',0
.data:0040A1D8 aReProtectedMes db 'RE: Protected message',0
.data:0040A1EE aForumNotify db 'Forum notify',0
.data:0040A1FB aSiteChanges db 'Site changes',0
.data:0040A208 aReHi db 'Re: Hi',0
.data:0040A20F aEncryptedDocum db 'Encrypted document',0
.data:0040A222 db 0

email body content :

.data:0040A25B aBrForSecurityR db 0Dh,0Ah ; DATA XREF: sub_404859+5o
.data:0040A25B db 'For security reasons attached file is password protected'
.data:0040A25B db '. The password is ',0Dh,0Ah,0
.data:0040A2C7 aBrForSecurityP db 0Dh,0Ah
.data:0040A2C7 db 'For security purposes the attached file is password prot'
.data:0040A2C7 db 'ected. Password -- ',0Dh,0Ah,0
.data:0040A334 aBrNoteUsePassw db 0Dh,0Ah
.data:0040A334 db 'Note: Use password to open archive'
.data:0040A334 db '.',0Dh,0Ah,0
.data:0040A37A aBrAttachedFile db 0Dh,0Ah
.data:0040A37A db 'Attached file is protected with the password for securit'
.data:0040A37A db 'y reasons. Password is ',0Dh,0Ah,0
.data:0040A3EB aBrInOrderToRea db 0Dh,0Ah
.data:0040A3EB db 'In order to read the attach you have to use the followin'
.data:0040A3EB db 'g password: ',0Dh,0Ah,0
.data:0040A451 aBrArchivePassw db 0Dh,0Ah
.data:0040A451 db 'Archive password: ',0Dh,0Ah,0
.data:0040A485 aBrPasswordImgS db 0Dh,0Ah
.data:0040A485 db 'Password - ',0Dh,0Ah,0
.data:0040A4B2 aBrPasswordIm_0 db 0Dh,0Ah
.data:0040A4B2 db 'Password: ',0Dh,0Ah,0
-----------------------------------------------------------------------------

W32/Bagle.AB will use as well P2P to spread with these fake program names:

; char aShar[]
.data:00409BC4 aShar db 'shar',0 ; DATA XREF: sub_40454A+83o
.data:00409BC9 aMicrosoftOffic db 'Microsoft Office 2003 Crack, Working!.exe',0
.data:00409BC9 ; DATA XREF: sub_4044B9+16o
.data:00409BF3 aMicrosoftWindo db 'Microsoft Windows XP, WinXP Crack, working Keygen.exe',0
.data:00409C29 aMicrosoftOff_0 db 'Microsoft Office XP working Crack, Keygen.exe',0
.data:00409C57 aPornoSexOralAn db 'Porno, sex, oral, anal cool, awesome!!.exe',0
.data:00409C82 aPornoScreensav db 'Porno Screensaver.scr',0
.data:00409C98 aSerials_txt_ex db 'Serials.txt.exe',0
.data:00409CA8 aKav5_0 db 'KAV 5.0',0
.data:00409CB0 aKasperskyAntiv db 'Kaspersky Antivirus 5.0',0
.data:00409CC8 aPornoPicsArhiv db 'Porno pics arhive, xxx.exe',0
.data:00409CE3 aWindowsSourcec db 'Windows Sourcecode update.doc.exe',0
.data:00409D05 aAheadNero7_exe db 'Ahead Nero 7.exe',0
.data:00409D16 aWindownLonghor db 'Windown Longhorn Beta Leak.exe',0
.data:00409D35 aOpera8New_exe db 'Opera 8 New!.exe',0
.data:00409D46 aXxxHardcoreIma db 'XXX hardcore images.exe',0
.data:00409D5E aWinamp6New_exe db 'WinAmp 6 New!.exe',0
.data:00409D70 aWinamp5ProKeyg db 'WinAmp 5 Pro Keygen Crack Update.exe',0
.data:00409D95 aAdobePhotoshop db 'Adobe Photoshop 9 full.exe',0
.data:00409DB0 aMatrix3Revolut db 'Matrix 3 Revolution English Subtitles.exe',0
.data:00409DDA aAcdsee9_exe db 'ACDSee 9.exe',0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
W32/Bagle.AB attempts to download more malware from the internet.
Apparentry the author has hacked lots of websites and placed a page named '5.php',
from where W32/Bagle.AB will attempt to download other malware.
see exemple:
http://www.spiegel.de/5.php ( probably a hacked website with the file 5.php )
'http://www.exactaudiocopy.de/5.php'

even the GOETHE INSTITUTE ! db 'http://www.goethe.de/5.php',0 what's a ethic hackers!
or the University of Stutgart db 'http://www.uni-stuttgart.de/5.php',0
or some hotel's website: http://www.hotel-pension-spree.de/5.php

Here is the complete list:

aHttpWww_spiege db 'http://www.spiegel.de/5.php',0 ; DATA XREF: sub_4032B5+1o
.data:00407EF5 aHttpWww_leipzi db 'http://www.leipziger-messe.de/5.php',0
.data:00407F19 aHttpWww_mobile db 'http://www.mobile.de/5.php',0
.data:00407F34 aHttpWww_neform db 'http://www.neformal.de/5.php',0
.data:00407F51 aHttpWww_avh_de db 'http://www.avh.de/5.php',0
.data:00407F69 aHttpWww_goethe db 'http://www.goethe.de/5.php',0
.data:00407F84 aHttpWww_degruy db 'http://www.degruyter.de/5.php',0
.data:00407FA2 aHttpWww_heise_ db 'http://www.heise.de/5.php',0
.data:00407FBC aHttpWww_autosc db 'http://www.autoscout24.de/5.php',0
.data:00407FDC aHttpWww_russis db 'http://www.russische-botschaft.de/5.php',0
.data:00408004 aHttpWww_bmbf_d db 'http://www.bmbf.de/5.php',0
.data:0040801D aHttpWww_berlin db 'http://www.berlinale.de/5.php',0
.data:0040803B aHttpWww_hamann db 'http://www.hamann-motorsport.de/5.php',0
.data:00408061 aHttpSpaceclub_ db 'http://Spaceclub.de/5.php',0
.data:0040807B aHttpWww_fracht db 'http://www.fracht-24.de/5.php',0
.data:00408099 aHttpWww_lovepa db 'http://www.loveparade.de/5.php',0
.data:004080B8 aHttpWww_dalnob db 'http://www.dalnoboyshik.de/5.php',0
.data:004080D9 aHttpWww_deutsc db 'http://www.deutschland.de/5.php',0
.data:004080F9 aHttpWww_acSchn db 'http://www.ac-schnitzer.de/5.php',0
.data:0040811A aHttpAbakan_str db 'http://abakan.strana.de/5.php',0
.data:00408138 aHttpWww_emis_d db 'http://www.emis.de/5.php',0
.data:00408151 aHttpWww_dwd_de db 'http://www.dwd.de/5.php',0
.data:00408169 aHttpWww_ifdesi db 'http://www.ifdesign.de/5.php',0
.data:00408186 aHttpWww_becker db 'http://www.beckers-systems.de/5.php',0
.data:004081AA aHttpWww_priWoH db 'http://www.pri-wo-hamburg.de/5.php',0
.data:004081CD aHttpVirtualzon db 'http://virtualzone.de/5.php',0
.data:004081E9 aHttpWww_mitsum db 'http://www.mitsumi.de/5.php',0
.data:00408205 aHttpWww_fuBerl db 'http://www.fu-berlin.de/5.php',0
.data:00408223 aHttpWww_nabu_d db 'http://www.nabu.de/5.php',0
.data:0040823C aHttpWww_tekeli db 'http://www.tekeli.de/5.php',0
.data:00408257 aHttpWww_welt_d db 'http://www.welt.de/5.php',0
.data:00408270 aHttpWww_gospel db 'http://www.gospel-nations.de/5.php',0
.data:00408293 aHttpWww_neznak db 'http://www.neznakomez.de/5.php',0
.data:004082B2 aHttpWww_teccha db 'http://www.tecchannel.de/5.php',0
.data:004082D1 aHttpWww_phpRes db 'http://www.php-resource.de/5.php',0
.data:004082F2 aHttpWww_windac db 'http://www.windac.de/5.php',0
.data:0040830D aHttpWww_gsi_de db 'http://www.gsi.de/5.php',0
.data:00408325 aHttpWww_turism db 'http://www.turism.de/5.php',0
.data:00408340 aHttpJakimov_go db 'http://jakimov.golos.de/5.php',0
.data:0040835E aHttpWww_www_mi db 'http://www.www.mirko-becker.gmxhome.de/5.php',0
.data:0040838B aHttpVg_xtonne_ db 'http://vg.xtonne.de/5.php',0
.data:004083A5 aHttpWww_goAmma db 'http://www.go-amman.de/5.php',0
.data:004083C2 aHttp3treepoint db 'http://3treepoint.com/5.php',0
.data:004083DE aHttpWww_restar db 'http://www.restarted-alliance.de/5.php',0
.data:00408405 aHttp2udar_liga db 'http://2udar.ligakvn.de/5.php',0
.data:00408423 aHttpWww_sprach db 'http://www.sprach-zertifikat.de/5.php',0
.data:00408449 aHttpWww_dfg_de db 'http://www.dfg.de/5.php',0
.data:00408461 aHttpWww_klinik db 'http://www.kliniken.de/5.php',0
.data:0040847E aHttpWww_winfut db 'http://www.winfuture.de/5.php',0
.data:0040849C aHttpWww_hambur db 'http://www.hamburg.de/5.php',0
.data:004084B8 aHttpWww_auma_d db 'http://www.auma.de/5.php',0
.data:004084D1 aHttpWww_teac_d db 'http://www.teac.de/5.php',0
.data:004084EA aHttpWww_eumets db 'http://www.eumetsat.de/5.php',0
.data:00408507 aHttpWww_docume db 'http://www.documenta.de/5.php',0
.data:00408525 aHttpHardvision db 'http://hardvision.ru/5.php',0
.data:00408540 aHttpWww_brueck db 'http://www.bruecke-osteuropa.de/5.php',0
.data:00408566 aHttpWww_mkMoto db 'http://www.mk-motorsport.de/5.php',0
.data:00408588 aHttpWww_bundes db 'http://www.bundesregierung.de/5.php',0
.data:004085AC aHttpDitec_um_e db 'http://ditec.um.es/5.php',0
.data:004085C5 aHttpWww_inselR db 'http://www.insel-ruegen-hotel.de/5.php',0
.data:004085EC aHttpWww_tib_un db 'http://www.tib.uni-hannover.de/5.php',0
.data:00408611 aHttpWww_chugai db 'http://www.chugai.de/5.php',0
.data:0040862C aHttpWww_blauer db 'http://www.blauer-engel.de/5.php',0
.data:0040864D aHttpWww_partne db 'http://www.partner-inform.de/5.php',0
.data:00408670 aHttpMhv24_de5_ db 'http://mhv24.de/5.php',0
.data:00408686 aHttpVillakinde db 'http://villakinderbunt.de/5.php',0
.data:004086A6 aHttpS318_evanz db 'http://s318.evanzo-server.de/5.php',0
.data:004086C9 aHttpAndimeissl db 'http://andimeisslein.de/5.php',0
.data:004086E7 aHttpTobimayer_ db 'http://tobimayer.de/5.php',0
.data:00408701 aHttpMarkusgime db 'http://markusgimenez.de/5.php',0
.data:0040871F aHttpWww_fizKar db 'http://www.fiz-karlsruhe.de/5.php',0
.data:00408741 aHttpWww_gdch_d db 'http://www.gdch.de/5.php',0
.data:0040875A aHttpWww_interm db 'http://www.intermatgmbh.de/5.php',0
.data:0040877B aHttpWww_hotelP db 'http://www.hotel-pension-spree.de/5.php',0
.data:004087A3 aHttpVg_xtonn_0 db 'http://vg.xtonne.de/5.php',0
.data:004087BD aHttpWww_lowSpi db 'http://www.low-spirit.de/5.php',0
.data:004087DC aHttpWww_redDot db 'http://www.red-dot.de/5.php',0
.data:004087F8 aHttpWww_fernun db 'http://www.fernuni-hagen.de/5.php',0
.data:0040881A aHttpWww_ruletk db 'http://www.ruletka.de/5.php',0
.data:00408836 aHttpWww_deut_0 db 'http://www.deutsch-als-fremdsprache.de/5.php',0
.data:00408863 aHttpWww_uniOld db 'http://www.uni-oldenburg.de/5.php',0
.data:00408885 aHttpFotos_schn db 'http://fotos.schneider.bards.de/5.php',0
.data:004088AB aHttpWww_deut_1 db 'http://www.deutsches-museum.de/5.php',0
.data:004088D0 aHttpWww_deBug_ db 'http://www.de-bug.de/5.php',0
.data:004088EB aHttpWww_uniStu db 'http://www.uni-stuttgart.de/5.php',0
.data:0040890D aHttpWww_emblHe db 'http://www.embl-heidelberg.de/5.php',0
.data:00408931 aHttpWww_mdzMos db 'http://www.mdz-moskau.de/5.php',0
.data:00408950 aHttpWww_mitsub db 'http://www.mitsubishi-evs.de/5.php',0
.data:00408973 aHttpWww_siegen db 'http://www.siegenia-aubi.com/5.php',0
.data:00408996 aHttpWww_cicv_f db 'http://www.cicv.fr/5.php',0
.data:004089AF aHttpWww_paromi db 'http://www.paromi.de/5.php',0
.data:004089CA aHttpWww_jura_u db 'http://www.jura.uni-sb.de/5.php',0
.data:004089EA aHttpWww_exacta db 'http://www.exactaudiocopy.de/5.php',0

the Bagle family seems to be a major problem over the internet with a very high infection rate.
But this is only the beginning obviously as the Bagle family has been first discovered in 2004.

Asmatiks

very nice

keep up the great work.

V.

thx Vals, isn't it the same

thx Vals, isn't it the same as the one in the challenge #1?