Win32.Bagle.GU@mm
MEDIUM
MEDIUM
57,935 bytes (packed)
(Email-Worm.Win32.Bagle.gs, W32.Beagle.FF@mm, W32/Bagle.KR.worm, W32/Bagle.gen)
Symptoms
1) The presence of the files:
- C:\error.txt containing the following message:
UTF-8 decoding error
- %system%\re_file.exe
2) The existence of the rootkit-hidden files:
C:\Documents and Settings\<current_user>\Application Data\hidn\hldrrr.exe
C:\Documents and Settings\<current_user>\Application Data\hidn\hidn2.exe
C:\Documents and Settings\<current_user>\Application Data\hidn\m_hook.sys
3) The registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drv_st_key
=
C:\Documents and Settings\<current_user>\Application Data\hidn\hidn2.exe
(also hidden from Windows API by rootkit)
HKCU\Software\FirstRuxzx\FirstRu21n=1
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Boeriu Laura, virus researcher
Technical Description:
This malware uses its own SMTP engine to spread as a password-protected (.zip) file attached to an email containing
- the text
"It Is Protected
Passwrd: "
- a (.gif) file showing the password for the zip attachment
The subject of the mail is one of the following:
price_new<current_date>
price_ <current_date>
price<current_date>
new <current_date>
price <current_date>
where <current_date> is of the form dd-mmm-yyyy
(example: 06-Dec-2006)
The name of the (.zip) attachment is:
price<current_date>
new_price<current_date>
price_list<current_date>
latest_price<current_date>
The malware searches destination email addresses on the computer in the following files:
.wab, .txt, .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .pl, .wsh, .adb, .tbb, .sht, .xls, .oft, .uin, .cgi, .mht, .dhtm, .jsp
but it does not send itself to addresses containing:
rating@, f-secur, news, update, anyone@, bugs@, contract@, feste, gold-certs@, help@, info@, nobody@, noone@, kasp, admin, icrosoft, support, ntivi, unix, bsd, linux, listserv, certific, sopho, @foo, @iana, free-av, @messagelab, winzip, google, winrar, samples, abuse, panda, cafee, spam, pgp, @avp, noreply, local, root@, postmaster@
Other malware actions performed:
- it has a list of 197 services that are disabled if found active. These are services of antivirus products ( of Avast, AVG, Avira, BitDefender, DrWeb, F-Prot, F-Secure, Kaspersky Antivirus, McAfee, NOD32, Norman, Norton, Panda...) , firewalls, security and monitoring tools.
- downloads to the %system%\re_file.exe file other malicious files from the internet and executes them
- deletes all the values and subkeys of the registry key
HKLM\SYSTEM\CurrentControlSet\Control\Safeboot
- drops a rootkit (m_hook.sys) that hides all the files, processes and registry keys of the malware
The hidden files are the 2 copies of the malware and the rootkit:
1) C:\Documents and Settings\<current_user>\Application Data\hidn\hldrrr.exe
2) C:\Documents and Settings\<current_user>\Application Data\hidn\hidn2.exe
3) C:\Documents and Settings\<current_user>\Application Data\hidn\m_hook.sys,
- sets the value of the registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drv_st_key
to a copy of the malware:
C:\Documents and Settings\<current_user>\Application Data\hidn\hidn2.exe
(This entry is hidden from Windows API by the rootkit.)
HKCU\Software\FirstRuxzx\FirstRu21n=1
- displays the following message (from the file C:\error.txt, created by the malware) in a notepad window:
UTF-8 decoding error
SHARE
THIS ON