bagle.X semi-infection

Posted on by michael

Today a user reported that her local Antivirus software popped up a message about a Bagel.X worm being present. She swiftly reported it to someone nearby who got me involved, and also took a screenshot of the warning: “File Deleted.” I liked the Deleted part, but having an actual worm is not a good sign.

AC reported drvdll.OPENEXE as the offending file, and promptly deleted it, which removed any chance I had of determining the date of creation of the file.

After talking to the employee, she turns her computer off every night and had not clicked on or opened any attachments with just one exception: she had just gone to www.aol.com and downloaded a new user download of AIM software (and along with it, the Weatherbug and WildTangent installs that piggyback along), Right after installation, the AV warning came up.

I did more checking on the system, and found one more piece of evidence of an infection: In the registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run was a key to start up the offending executable file upon next reboot.

Being a Bagle worm, I attempted normal programs like netstat to see if the worm was running and terminating such processes (like it does and should) and to see if the telltale backdoor had been dropped on a high port. Nothing came back positive. I also examined the running processes using ProcExplore from SysInternals for the telltale Skynet mutex…again, no sign of it.

I determined that this worm infection was brand new, and did not execute itself. However, it was poised to execute on the next computer reboot if AV and an alert employee had not intervened.

The insertion vector? I can only guess that it piggybacked on with an AIM installation (waiting and scanning the news for this incident if it did happen) or the new exploit in AIM dealing with Away msg URL buffer overflows was somehow encountered (although I consider this latter case to be highly unlikely).

Bottomline in all of this: I am getting faster and more thorough with diagnosing desktop incidents like this…and I am becoming more confident and versed in my chosen toolkit to assist in such issues.