Win32.Bagle.B@mm
MEDIUM
MEDIUM
11,264 (packed)
()
Symptoms
- Presence of the next files in %SYSTEM% folder:
AU.EXE (11,264 bytes)
- Presence of the next registry keys:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"au.exe"="%SYSTEM%\au.exe"
[HKEY_CURRENT_USER\Software\Windows2000]
with the entries gid and frn
where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.
Removal instructions:
Analyzed By
Patrik Vicol BitDefender Virus Researcher
Technical Description:
It arrives in an e-mail, formatted like this:
From: (spoofed address, could be anything)
Subject: ID %random_letters%... thanks
Body:
Yours ID %random_letters%
--
Thank
Attachment: %random_letters%.exe (11,264 bytes)
Example:
Subject: ID ldksy... thanks
Body:
Yours ID rnhyijwo
--
Thank
Attachment: jeqcnfmbiv.exe (11,264 bytes)
When run, the virus launches sndrec32.exe (Sound Recorder from Windows)
Then, it starts searching for e-mails in files with the following extensions:
wab txt htm html
Then, it tries to send itself to all the e-mail addresses found, in the e-mail format described above.
It sends a notification message to a list of web sites; the message contains information about the infected computer.
This information could be used for uploading other executable files to the infected computers.
The worm starts a thread that listens for connections from a remote machine.
This connection it is used for downloading a file and executing it, and it may be used as an auto update mechanism.
SHARE
THIS ON