W32/Bagle-F is an email worm which sends itself via its own SMTP engine to addresses harvested from your hard disk.
The worm copies itself to the Windows system folder as I1RU54N.EXE and creates the following files in the same folder:
II5NJ4.EXE - a DLL plugin used to load GO54O.EXE
GO54O.EXE - the main DLL component of the worm
I1RU54N4.EXEOPEN - an exact copy of the worm or a copy of the worm in ZIP format
W32/Bagle-F adds the value:
rate.exe = <SYSTEM>\i1ru54n4.exe
to the registry key:
This means that W32/Bagle-F runs every time you logon to your computer.
W32/Bagle-F also creates the following registry entry:
W32/Bagle-F also drops several copies of itself in the following folder:
Program files\Common files\Microsoft shared
A more detailed description will follow shortly.
Microsoft MVP - Consumer Security 2006 - 2010
|« Previous Thread | Next Thread »|
|Thread Tools||Search this Thread|