Site in American English
Password
User name
 
 
« Nobody can be exactly like me. Sometimes even I have trouble doing it »
Tallulah Bankhead
Bagle.N ASCII Art

Bagle.N conceals a representative picture of the "ASCII art" scene. But it's never shown and you need to debug or disassemble the worm to see it. If you don't feel like to do that... I'll do it for you :-).

Hidden From View

The initial file is packed with UPX. Once unUPXed, just open it with an hexadecimal editor. Looking carefully inside the file, you can notice a lot of "graphical" bytes. By "graphical", I mean that when displaying ASCII symbols corresponding to these bytes, a kind of "picture" appears on the screen. Just look at the following screen capture:

Figure 1

Figure 1. Something is alive inside...

This "picture" is never shown when the worm is running. It's a sort of private message, reserved for people rummaging into viruses guts. It's a trick widely used by viruses authors when they want to make fun of AV's researchers or, in this particular case, another virus/VX group.

But here, the process requires a descrambling stage.

ROR Time

At the start of the code, we have:

01
02
03
04
05
06
07
08
09
10
11
12
  mov esi,offset dword_401000
  mov edi,esi
  mov ecx,4FE2h
  cld

_405FFA:

  lodsb
  ror al,03h
  xor al,88h
  stosb
  loop _405FFA
 

Figure 2. The decryption loop.

Starting from address 401000h in memory, 4FE2h (20,450) bytes are decoded using ror and xor (lines 9-10). The ROtate Right (ROR) instruction is not that much frequent: starting from the most-significant bit (msb), it shifts all the bits towards the right; at the same time, it copies every least-significant bit (lsb) of the process into the msb location. Look at this more explicit figure:

Figure 3

Figure 3. ROR in image.

The next figure shows the value 44 (00101100b) right-rotated 3 times:

Figure 4

Figure 4. 44 RORed by 3.

Here is a C implementation of ROR:

#define ROR(x,n) ( ( ( x & ( ( 1 << n ) - 1 ) ) << ( 8 - n ) ) | ( x >> n ) )
 

Figure 5. My obfuscated tribute to C language.

Full Decoding

The ASCII butterfly is 1,866 bytes in lentgh: 2 empty lines (2 bytes each), 31 lines of 60 characters (the actual drawing) and 1 blank line more (2 bytes again). The short code below decodes these bytes and displays them:

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
#include <windows.h>
#include <conio.h>
#include <stdio.h>

#define ROR(x,n) ( ( ( x & ( ( 1 << n ) - 1 ) ) << ( 8 - n ) ) | ( x >> n ) )

void main(void)
{
  int i;
  BYTE x[] = {

    0x2C,0x14,
    0x2C,0x14,
    0x45,0xE6,0x07,0x6F,0x45,0xFE,0x07,0x0F,0xE7,0x6F,0x45,0xD6,0x4F,0x57,0x57,
    0x0F,0xE7,0x45,0xC6,0xD7,0x6F,0xDF,0x6F,0x37,0xE7,0xDF,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xC1,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,
    0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x45,0x45,0x45,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xA2,0xD1,0xA2,0x45,0x45,0xC1,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0xE6,0x07,0x6F,0x45,0x77,0x0F,0xD7,0xDF,0xE7,0x45,0x4F,0x37,0x67,
    0x45,0xE7,0x07,0x6F,0x45,0xDF,0x0F,0x37,0x7F,0x27,0x6F,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xA2,0x9A,0x9A,0x9A,0xD1,0xAA,0xC1,0x45,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x4E,0x37,0xE7,0x0F,0x2D,0x36,0x6F,0xE7,0xDE,0x1F,0x8F,0x45,
    0x4E,0x37,0xE7,0x0F,0xF6,0x0F,0xD7,0xEF,0xDF,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0x45,0x45,0x45,0xD1,0x9A,0xD1,0xD1,0xD1,0xD1,0x9A,0x45,0x45,
    0xC1,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,
    0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x2D,0x45,0x45,0x45,
    0x45,0x45,0x45,0x45,0x45,0xD1,0x9A,0x9A,0x9A,0x9A,0xD1,0xD1,0x9A,0xAA,0xC1,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0x45,0xD1,0x9A,0xBA,0x45,0xBA,0x9A,0x9A,0xD1,0xD1,0x9A,0xC1,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xBA,0x45,0xA2,0x45,0x45,
    0x45,0x45,0x45,0xD1,0x9A,0x45,0x45,0x45,0x45,0xB2,0x9A,0x9A,0xD1,0xD1,0x9A,
    0xC1,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0x45,0xBA,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xD1,0xAA,
    0x45,0x45,0xB2,0x9A,0xD1,0x45,0xA2,0xD1,0xA2,0x45,0xBA,0x9A,0x9A,0xD1,0xD1,
    0x9A,0xC1,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0xD1,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xB2,0xD1,
    0x45,0x45,0xD1,0x9A,0x45,0xB2,0xD1,0xD1,0xD1,0xAA,0x45,0x45,0xBA,0x9A,0xD1,
    0x9A,0x9A,0xC1,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0xB2,0xD1,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xD1,
    0xAA,0xD1,0x9A,0x45,0x45,0x45,0xD1,0xD1,0xBA,0x45,0x45,0x45,0x45,0xB2,0x9A,
    0xD1,0x9A,0xD1,0x45,0xC1,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0xA2,0xA2,0x9A,0x9A,0x9A,0x9A,0xA2,0xA2,0x45,0x45,0x45,
    0x45,0x45,0x45,0x45,0xBA,0xD1,0xA2,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xD1,
    0xB2,0x9A,0xD1,0x45,0x45,0x45,0xB2,0x9A,0x45,0x45,0x45,0x45,0x45,0x45,0x9A,
    0x9A,0xD1,0xAA,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x9A,0x9A,0x9A,0x9A,0x9A,0x9A,0x9A,0x9A,0x9A,0x9A,0x9A,0x9A,
    0x9A,0xA2,0xA2,0x45,0x45,0x45,0xBA,0xD1,0xA2,0x45,0x45,0x45,0x45,0xB2,0xD1,
    0x9A,0x9A,0xAA,0x45,0x45,0xC1,0x9A,0xAA,0x45,0x45,0x45,0x45,0x45,0xB2,0x9A,
    0x9A,0xD1,0x45,0xC1,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0xB2,0x9A,0x9A,0x9A,0x9A,0x9A,0x9A,0x9A,0xBA,0xBA,0x45,0x45,0x45,
    0xBA,0xBA,0x9A,0x9A,0x9A,0x9A,0xA2,0xA2,0x45,0xBA,0xA2,0x45,0xA2,0xD1,0xB2,
    0x9A,0x9A,0x45,0x45,0xC1,0x9A,0xBA,0x45,0x45,0x45,0x45,0x45,0x45,0x9A,0x9A,
    0xD1,0xAA,0xC1,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x9A,0x9A,0x9A,0x9A,0x9A,0x9A,0xBA,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0x45,0xBA,0xBA,0x9A,0x9A,0xD1,0xA2,0xA2,0xD1,0xD1,0x9A,0x9A,
    0x9A,0xAA,0x45,0xC9,0x9A,0xAA,0x45,0x45,0x45,0x45,0x45,0xA2,0x9A,0x9A,0x9A,
    0x9A,0xA2,0x9A,0xD1,0xA2,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0xD1,0x9A,0x9A,0x9A,0xAA,0x45,0x45,0x45,0x45,0x45,0xA2,
    0xD1,0xA2,0x45,0x45,0x45,0x45,0x45,0x45,0xBA,0xBA,0x9A,0x9A,0x9A,0x9A,0x9A,
    0x9A,0x45,0xC9,0x9A,0xAA,0x45,0x45,0x45,0x45,0xA2,0xD1,0x9A,0x9A,0x9A,0x9A,
    0x9A,0x9A,0x9A,0x9A,0xD1,0xD1,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0xC1,0xB2,0x9A,0x9A,0x9A,0x45,0x45,0x45,0x45,0xD1,0xD1,
    0xD1,0xD1,0xD1,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xBA,0x9A,0x9A,0x9A,
    0x9A,0x9A,0x9A,0xC9,0x45,0xA2,0xA2,0x9A,0x9A,0x9A,0x9A,0xBA,0xBA,0x45,0x45,
    0x45,0xBA,0x9A,0x9A,0x9A,0xD1,0xAA,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0xC1,0xD1,0x9A,0x9A,0x9A,0x45,0x45,0x45,0xBA,0xD1,
    0xD1,0xD1,0xBA,0xBA,0x9A,0x9A,0xA2,0xA2,0xA2,0xA2,0x45,0x45,0xA2,0x9A,0x9A,
    0x9A,0x9A,0x9A,0x9A,0x9A,0x9A,0x9A,0xBA,0xBA,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0xB2,0x9A,0x9A,0x9A,0xD1,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xD1,0x9A,0x9A,0x9A,0x45,0x45,0x45,0x45,
    0xBA,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xBA,0xBA,0xBA,0x9A,0x9A,0x9A,0x9A,
    0x9A,0x9A,0x9A,0x9A,0x9A,0x9A,0xA2,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0x9A,0x9A,0x9A,0xD1,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0xC1,0x45,0xD1,0x9A,0x9A,0x9A,0x45,0x45,0x45,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xB2,0x9A,0x9A,0x9A,
    0x9A,0x9A,0x9A,0xD1,0xBA,0x45,0x45,0xBA,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0x9A,0x9A,0xD1,0xAA,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xD1,0x9A,0x9A,0x9A,0x45,0x45,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x9A,0x9A,0x45,0x45,
    0xBA,0x9A,0x9A,0x9A,0xA2,0x45,0x45,0x45,0xBA,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0x9A,0x9A,0xD1,0xAA,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xC1,0x45,0x45,0xD1,0x9A,0x9A,0x9A,0xA2,
    0x45,0x45,0x45,0xA2,0xC1,0x9A,0x9A,0x9A,0xC1,0x45,0xB2,0xD1,0x45,0x45,0x45,
    0x45,0x45,0xD1,0x9A,0x9A,0xD1,0xA2,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0xB2,0x9A,0x9A,0xD1,0xAA,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xC1,0x45,0xD1,0x9A,0x9A,0x9A,
    0x9A,0x9A,0x9A,0x9A,0x9A,0x9A,0xC1,0x45,0x45,0x45,0x45,0xBA,0xA2,0x45,0x45,
    0x45,0x45,0xB2,0x9A,0x9A,0x9A,0x9A,0xD1,0xA2,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0xA2,0x9A,0x9A,0xD1,0xD1,0xAA,0xC1,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xC1,0x45,0xD1,0xD1,0x9A,
    0x9A,0x9A,0xBA,0x9A,0xD1,0x45,0x45,0x45,0x45,0x45,0xC1,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0xD1,0x9A,0x9A,0x9A,0x9A,0x9A,0x9A,0x9A,0xA2,0xA2,0xA2,0xA2,
    0x9A,0x9A,0x9A,0xD1,0xD1,0x9A,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xBA,0xD1,
    0xBA,0x45,0xB2,0x9A,0xAA,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0xB2,0x9A,0x9A,0xD1,0xBA,0x45,0xBA,0x9A,0x9A,0x9A,0x9A,0xD1,
    0xD1,0xD1,0xD1,0xD1,0xD1,0xAA,0xC1,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xC1,0x45,0x45,0xC1,
    0x45,0x45,0x9A,0x9A,0x9A,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0xB2,0xD1,0x9A,0xAA,0x45,0xC1,0x45,0x45,0xC1,0xBA,0xD1,0x9A,
    0x9A,0xD1,0xD1,0xD1,0x9A,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0xC1,0xB2,0x9A,0x9A,0x9A,0xD1,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0xD1,0x9A,0x9A,0xC1,0x45,0xC1,0x45,0x45,0x45,0x45,0xC1,0x45,
    0xBA,0xBA,0xD1,0xBA,0xC1,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0xBA,0x9A,0x9A,0x9A,0x9A,0xA2,0xA2,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0xA2,0x9A,0xD1,0x9A,0xAA,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0xC1,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0xC1,0x45,0x45,0xBA,0xBA,0x9A,0x9A,0x9A,0x9A,0x9A,0x9A,0xA2,0xA2,0xA2,
    0x9A,0x9A,0xD1,0xD1,0xD1,0x9A,0x9A,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0xC1,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0xC1,0x45,0xC1,0x45,0x45,0x45,0xBA,0xBA,0xD1,0x9A,0x9A,0xD1,0xD1,
    0xD1,0xD1,0xD1,0xD1,0xD1,0xD1,0xAA,0xC9,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0xD1,0x45,0x45,0xBA,0xBA,0x9A,0x9A,
    0x9A,0xD1,0xD1,0xD1,0xD1,0x9A,0xC1,0xC1,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0xBA,0xBA,0xBA,0xBA,0xBA,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,
    0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x45,0x2C,0x14,
    0x2C,0x14

  };

  for ( i = 0; i < sizeof(x); i++ ) printf("%c",ROR(x[i],3)^0x88);

  while ( !_kbhit() ) ;
}
 

Figure 6. Decoding Bagle.N butterfly C source code.

I've used hexadecimal codes instead of characters/symbols because I don't know the character set used with your web browser. As you can see in the following picture (the Figure 6 resulting screen), it's not a matter of no importance :-).

Figure 7

Figure 7. What's really inside!

Credits

joke0 (virus dealer).

Misanthrope - Hypochondrium forces (musical inspiration).

Enjoy, cya!

(Written 03/18/2004, revised 10/10/2009)

Click here to go to the Malwares page.
Link to this page
Page #7200003, generated in 24.42 ms
 
Copyright © 2003-2017 Arnold McDonald. All rights reserved.
W3C HTML conformity
W3C CSS conformity