My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Bagle.GU@mm

MEDIUM
MEDIUM
57,935 bytes (packed)
(Email-Worm.Win32.Bagle.gs, W32.Beagle.FF@mm, W32/Bagle.KR.worm, W32/Bagle.gen)

Symptoms

1) The presence of the files:
- C:\error.txt containing the following message:
UTF-8 decoding error

- %system%\re_file.exe

2) The existence of the rootkit-hidden files:
C:\Documents and Settings\<current_user>\Application Data\hidn\hldrrr.exe
C:\Documents and Settings\<current_user>\Application Data\hidn\hidn2.exe
C:\Documents and Settings\<current_user>\Application Data\hidn\m_hook.sys

3)
The registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drv_st_key
=
C:\Documents and Settings\<current_user>\Application Data\hidn\hidn2.exe
(also hidden from Windows API by rootkit)

HKCU\Software\FirstRuxzx\FirstRu21n=1

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Boeriu Laura, virus researcher

Technical Description:

This malware uses its own SMTP engine to spread as a password-protected (.zip) file attached to an email containing
    - the text
       "It Is Protected
        Passwrd:
"
    - a (.gif) file showing the password for the zip attachment

The subject of the mail is one of the following:
     price_new<current_date>
     price_ <current_date>
     price<current_date>
     new <current_date>
     price <current_date>
where <current_date> is of the form dd-mmm-yyyy
    (example: 06-Dec-2006)

The name of the (.zip) attachment is:
     price<current_date>
     new_price<current_date>
     price_list<current_date>
     latest_price<current_date>

The malware searches destination email addresses on the computer in the following files:
.wab, .txt, .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .pl, .wsh, .adb, .tbb, .sht, .xls, .oft, .uin, .cgi, .mht, .dhtm, .jsp

but it does not send itself to addresses containing:
rating@, f-secur, news, update, anyone@, bugs@, contract@, feste, gold-certs@, help@, info@, nobody@, noone@, kasp, admin, icrosoft, support, ntivi, unix, bsd, linux, listserv, certific, sopho, @foo, @iana, free-av, @messagelab, winzip, google, winrar, samples, abuse, panda, cafee, spam, pgp, @avp, noreply, local, root@, postmaster@

Other malware actions performed:

- it has a list of 197 services that are disabled if found active. These are services of antivirus products ( of Avast, AVG, Avira, BitDefender, DrWeb, F-Prot, F-Secure, Kaspersky Antivirus, McAfee, NOD32, Norman, Norton, Panda...) , firewalls, security and monitoring tools.

- downloads to the %system%\re_file.exe file other malicious files from the internet and executes them

- deletes all the values and subkeys of the registry key
HKLM\SYSTEM\CurrentControlSet\Control\Safeboot

- drops a rootkit (m_hook.sys) that hides all the files, processes and registry keys of the malware
The hidden files are the 2 copies of the malware and the rootkit:
1) C:\Documents and Settings\<current_user>\Application Data\hidn\hldrrr.exe
2) C:\Documents and Settings\<current_user>\Application Data\hidn\hidn2.exe
3) C:\Documents and Settings\<current_user>\Application Data\hidn\m_hook.sys,

- sets the value of the registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drv_st_key
to a copy of the malware:
C:\Documents and Settings\<current_user>\Application Data\hidn\hidn2.exe
(This entry is hidden from Windows API by the rootkit.)

HKCU\Software\FirstRuxzx\FirstRu21n=1

- displays the following message (from the file C:\error.txt, created by the malware) in a notepad window:
     UTF-8 decoding error