Bagle Malware appears to be making a comeback lately. Not as much in the US but more so in Europe, although that’s subject to change as it can spread fast.

Bagle is not necessarily new, although new variants are constantly being developed. Usually nastier with each version. This new version is absolutely nasty. Some symptoms of the infection are browser closing, system lags, system security and security tools (such as AntiVirus and Firewall) functions disabled, and the inability to run most any security tools.

Technical Analysis:

Please note that the analysis here should not be used as a removal guide for this or any other Malware. If you think you’re infected you should either go to the forums for help, bring it to a pro, or reformat the PC (which is what the pro will probably do).

Static Analysis:

On the date that the sample was captured I ran it by Virus Total and almost 60% of the scanners identified it as Malware. Not bad, but not great either and I’m sure that will get better with time.

Virus Total Results

The sample I tested was packed with Themida, which is a commercial grade packer. This pretty much rules out any real static analysis with my limited unpacking skills at this point. Note that the packing is used to help avoid detection and prevent this type of analysis.

Dynamic Analysis:

Here is where the fun begins for me…

I was able to get this sample to run in VMWare which is nice for analysis.

Upon execution of the sample the system pauses for a few seconds then generates this window:

Well, I don’t know what that means but I know what OK! means. So I proceed with that and see this next:

What looks like some kind of a Windows logon screen or something. Well again….OK is good for me.

After that not much and was wondering if it really ran in the VM. I tried to run some basic system analysis with HijackThis and a rootkit scan with GMER and neither would run. Soon after the system rebooted by itself. At this point I was pretty confident that the Malware took to the VM.

Looking at the file/folder/registry modifications with InstallWatch and RegShot showed several folders and registry entries created, very similar to the report from Threat Expert.

Threat Expert Report

As we can see quite a bit of activity and this is starting to look like some nasty stuff, but more will be revealed…

After reboot I tried HijackThis and GMER again (without success). I also tried running MalwareBytes and that would not go.

I was able to get both Old Timers OTL and sUBs DDS tools to run which showed some interesting entries (definitely Malware).
OTL:
Processes:
PRC - [2009/11/10 14:05:13 | 00,899,076 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\drivers\downld\62359.exe
Driver Services:
DRV - [2009/11/10 14:04:59 | 00,119,188 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\drivers\wfsintwq.sys -- (srosa)
Pseudo HJT:
O4 - HKCU..\Run: [flec003.exe] C:\Documents and Settings\Administrator\Application Data\hidires\flec003.exe (http://www.emule-project.net)

DDS showed the same process, run key, and driver that OTL did.

Now, making sure that hidden files are showing in XP, I looked for those files and registry entries but none of them were visible. The only thing I could see was a file called srosa2.sys in the drivers folder.

Now, we can pretty much deduce from these findings that there is no doubt a well planted rootkit running here. The presence of srosa (which is a well known rootkit) and the fact we cannot see anything with the normal Windows tools confirms this.

So since we cannot run my favorite rootkit tool GMER, we’ll try some others. Tried running SysProt ARK but no success there. Next tried RootRepeal and was able to run.

Hidden/Locked Files
-------------------
Path: C:\Program Files\Movie Maker\Shared
Status: Invisible to the Windows API!

Path: c:\windows\system32\ntkrnlpa.exe
Status: Allocation size mismatch (API: 24576, Raw: 2060288)

Path: C:\WINDOWS\ime\shared
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\hidires
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\drivers\downld
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\drivers\wfsintwq.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\drivers\winupgro.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\hidires\flec003.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\m\flec006.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\m\shared
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\000058cb\autorun.inf
Status: Invisible to the Windows API!

Processes
——————-
Path: C:\Documents and Settings\Administrator\Application Data\hidires\flec003.exe
PID: 236    Status: Hidden from the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\drivers\winupgro.exe
PID: 472    Status: Hidden from the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\m\flec006.exe
PID: 1376    Status: Hidden from the Windows API!

Hidden Services
——————-
Service Name: srosa
Image Path: system32\DRIVERS\sr.sys

I tried removing the hidden service, sr.sys, but RR would not do it. I then was able to wipe several of the hidden files and was subsequently able to run GMER. To try and bring some brevity to an already way too long post I’m not going to show everything GMER found (which was a lot!). Here is a summary:

It confirmed the Malware we have already seen with the other tools, but it found much more.

In this hidden folder:
C:\Documents and Settings\Administrator\Application Data\drivers\downld\
There were about 30 files similar to the following, 311109.exe. All random numbers.

Then the real find and the main goal of this Malware:
C:\Documents and Settings\Administrator\Application Data\hidires\WDIR\000-484 – Enterprise Connectivity with J2EE Practice Exam Questions 1.0 (KeyGen).zip
C:\Documents and Settings\Administrator\Application Data\m\shared\12Ghosts Timer 9.0.52.5740.zip

There were about 100 zip archived files in each of the WDIR and shared hidden folders. These are not keygen files or game files like they are all labeled. Analysis showed that in each of those archives the same Bagle dropper is packed up and ready for someone to download and infect themselves. So you’re saying, how are they going to get them off my PC? Well, this entry:
O4 - HKCU..\Run: [flec003.exe] C:\Documents and Settings\Administrator\Application Data\hidires\flec003.exe (http://www.emule-project.net)


Starts up an Emule P2P host right off your machine every time it starts. Yes, as my kids say, you and your PC have been Pwnd. Your PC is serving up Malware to the world.

The scary thing with this Malware is the only real indication of its’ presence is it slows down system performance (those CPU cycles are busy serving up Malware). There are no pop-ups or redirects, and your security software has been disabled so it knows nothing. You’re browser will shut down if you try to surf to any security sites, and many tools won’t run. So if you have these symptoms I would suggest getting help.

It is possible to remove this Malware. But again, unless you really know what you’re doing I would suggest heading over to the forums and posting the required logs so an expert can take a look.

Sorry for such a long post here, but I left a lot out, trust me. This one was also real fun to play with and analyze. I hope this provides some insight into how this stuff spreads itself around. Also it should alert you to the dangers of P2P file sharing.