My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Bagle.{CU,FG,GL,GU}@mm

MEDIUM
MEDIUM
varies with version
(Email-worm.Win32.Bagle,Win32/Bagle,Win32.HLLM.Beagle)

Symptoms

After opening a mail that has a zip attachement with a numeric password and executing the file inside wich is a executable with a image icon or a txt icon you will see a error.gif or error.txt wich will say either "Error" or "UTF-8 decoding error.". After that it is hard to find because it drops a rootkit that hides it's files and it's processes. You need to use rootkit detecting software to detect it.
Also the virus generates some network traffic and disk activity as it searches for mail addresses on the local drives and sends itself to the found addresses.

Removal instructions:

Because the worm uses a rootkit to hide itself it's difficult to locate manually and terminate. It also closes antivirus processes so your antivirus is probably disabled. To remove it create a new text document and enter the following text in it (without the curly brackets)
{Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\\Software\Microsoft\\Windows\\CurrentVersion\\Run]
"drv_st_key"=-}
After that save it as remove.reg and double click it to add it to the registry and click yes when asked if you want to add remove.reg to the registry.
Then restart your computer and scan your local disks or remove it manually by deleting the following folder:
%documents_and_settings%\\(current user)\\Application Data\\hidn

Analyzed By

George Nechifor, virus researcher

Technical Description:

After executing the virus it copyes itself to %documents_and_settings%\\(current user)\\Application Data\\hidn\\hidn2.exe (Win32.Bagle.FG@mm) , %documents_and_settings%\\(current user)\\Application Data\\hidn\\hidn1.exe (Win32.Bagle.GL@mm) or %documents_and_settings%\\(current user)\\Application Data\\hidn\\hldrrr.exe (Win32.Bagle.GU@mm) and also drops %documents_and_settings%\\(current user)\\Application Data\\hidn\\m_hook.sys that hides the hidn directory and the files in it. and also the processes contaning the "hidn" word.
%documents_and_settings% is the Doccuments and Settings folder usually located in C:\\
(current user) is the name of the current logged on user.
It also adds the following entry HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\drv_st_key so that it will be automatically started at windows startup and creates the key HKCU\\Software\\FirstRuxzx\\FirstRun
After that the worm tries to find mail addresses by searching files in the infected computer. It then sends mail from spoofed addresses to the found mail addresses (with some exceptions). the mail contains a zip attachement with a random generated numeric password which is displayed as a gif file in the mail.
The worm also tries to terminate a list o processes and services that are ralated to security products and previous versions of itself. It also tries to download new versions from a preconfigured list of sites.