[jhb_airlines] Nasty trick time again

  • From: "Bones" <bones@xxxxxxx>
  • To: "JHB Email List" <jhb_airlines@xxxxxxxxxxxxx>
  • Date: Tue, 10 Aug 2004 04:17:10 +0100

I got an email tonight from Gerry Winskill - or so it purported to be.
The address was kosher but the header and content of the message both
contained just one word - "Price". As there was an attachment I
immediately isolated it for further examination.

The attachment was called NewPrice.zip and it contained one html file
and an EXE. Both passed the virus checks so I then opened the html file
in Notepad. Lo and behold it was an interesting bit of Java script which
played around with the Registry and tried to pass itself off as a
Windows Update file.

The EXE file was also scrutinised and it was pretty grim too. Although
only 5K it had enough in it to either block or take over most firewalls
and contained a huge list of dodgy web site URL's. You know the sort of
thing - Russian Brides, Rumanian teenagers, bestiality sites etc.

An hour later I got an almost identical email except that it had a
New_Price.zip file in it. Contents were otherwise identical.

The warning is plain yet again. Don't open any emails (even from other
people on this list) unless you are expecting a private message and you
KNOW they are sending an attachment with it.


I have just finished downloading the latest update to my virus checking
program (and I mean the very latest as I downloaded an update around
1700 last night) and have run it on the ZIP files. Both come up with the
same result:

i:\documents and settings\bones\desktop\new__price.zip>price/price.htm -
JS.Bagle.AG worm. 
i:\documents and settings\bones\desktop\new__price.zip>price/price.exe -
Win32.Bagle.AG worm.

It's a new version of the Bagel/Bagle worm released in the last 24 hours
- possibly to beat the WinXP Service Upgrade 2 or maybe just
co-incidence. Here's the official description.

"Bagle.AG consists of several components; the worm executable, an HTML
file, an EXE dropper and a .DLL that contains a routine to download the

The EXE dropper is 14,848 bytes in size.

The DLL that will be injected into Explorer.exe process is 11,776 bytes.
Subsequent activities by the malware will appear to have originated from

The dropper downloads the worm from a list of 204 different URLs, all
pointing to a file named 2.JPG.  The file is downloaded to the %Windows%
directory as "~.exe" and executed.  The downloaded file is a 19,460-byte
PEX-compressed Win32 executable.

The HTML contains code to activate PRICE.EXE.

Once the EXE dropper is activated, it copies itself to the %System%
directory as "WINdirect.exe", and drops the DLL component as "_DLL.EXE".
It then creates a remote thread in Explorer.exe process to execute the
DLL component.

The following registry values are created to run the EXE dropper when
Windows starts:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe =
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe =

When executed, the worm copies itself to: 


and modifies the registry to ensure that this copy is executed at each
Windows start:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\erthgdr =

OK - it's not nice. Don't get caught.


Other related posts: