Bagle.AG opens a backdoor on TCP port 1080 and also attempts to shutdown a wide range of antivirus and security processes found running on infected systems as well as attempting to remove registry keys associated with Netsky variants. As with previous variants, Bagle.AG also copies itself to folders with the string 'shar' in the foldername, facilitating its spread via P2P filesharing networks.
The subject of the Bagle.AG email will be one of the following:
Changes..
Encrypted document
Fax Message
Forum notify
Incoming message
Notification
Protected message
Re: Document
Re: Hello
Re: Hi
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Re: Msg reply
RE: Protected message
RE: Text message
Re: Thank you!
Re: Thanks :)
Re: Yahoo!
Site changes
Update
The body of the email reads one of the following:
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
The attachment will have either a .com, .cpl, .exe, .scr, or .zip extension and one of the following filenames:
Information
Details
text_document
Updates
Readme
Document
Info
MoreInfo
Message
In some cases, the attachment may be a password protected zip, in which case the message body will signify that the attached file is password protected and that password will also be attached as an image file. Depending on the mail client, this may also cause the password to be displayed inline with the message text.
Upon infected, Bagle.AG copies itself as sys_xp.exe to the Windows system directory and modifies the HKCU\..\Run registry to load the worm when Windows is started.
Note: By default, the Windows system directory is:
Windows 95/98/ME --> C:\Windows\System
Windows NT/2-2000 --> C:\Winnt\System32
Windows XP --> C:\Windows\System32
