Win32.Bagle.A@mm
HIGH
MEDIUM
15872
(none)
Symptoms
-presence of the bbeagle.exe file in %sysdir%
-presence of the following registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe with value %sysdir%\bbeagle.exe
HKCU\Software\Windows98\frun with value 1
HKCU\Software\Windows98\uid with value a random generated number.
Removal instructions:
Let BitDefender delete the infected files it finds
Analyzed By
Sorin Victor Dudea
Technical Description:
This is an Internet worm that is spreading trough e-mail.
It arrives in the following format:
Subject:
Hi
Body:
Test =)
%randomstring%
Test, yep.
Attachment:
%randomstring%.exe
where %randomstring% is a randomly generated string.
When the user opens the attachment the worm copies itself in %sysdir% under the name bbeagle.exe and it adds the following registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe with value:
%sysdir%\bbeagle.exe
and
HKCU\Software\Windows98\frun with value 1
HKCU\Software\Windows98\uid with value a random generated number.
Note:
%sysdir% represents the windows system directory (usually c:\windows\system).
After this the worm executes calc.exe and it starts searching for e-mails in files with the following extensions:
*.wab
*.txt
*.htm
*.html
After it gathers the e-mail addresses it tries to send itself to all the e-mail addresses it found.
The worm starts a thread that listens for connections from a remote machine. This connection it is used for downloading a file and executing it. This is a possible auto update mechanism.
Then it sends a notification message to a list of 36 web sites. The message contains information for about the infected computer. This information will be used for uploading other executable files to the infected computers.
SHARE
THIS ON