W32/Bagle-V

Discussion in 'malware problems & news' started by Marianna, Mar 29, 2004.

Thread Status:
Not open for further replies.
  1. Marianna
    Offline

    Marianna Spyware Fighter

    Aliases
    W32.Beagle.U@mm

    Type
    Win32 worm

    Description
    W32/Bagle-V is a member of the W32/Bagle family of worms.
    When first run the worm attempts to run an application called dreder.exe.

    In order to run automatically when the user logs on to the computer the worm copies itself to the file sysinfo.exe in the Windows system folder and creates the following registry entry:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sysinfo.exe

    W32/Bagle-V also creates the following registry entries:

    HKCU\Software\Windows2005\gsed
    HKCU\Software\Windows2005\fr1n

    W32/Bagle-V scans all fixed drives recursively for files with extensions WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM and JSP, harvests email addresses from them and sends itself as an attachment to the addresses extracted. Email addresses belonging to the domains AVP and Microsoft are avoided.

    The emails sent by the worm have an empty subject line and no message text. The attached file is called game.exe. The sender address is spoofed (chosen from addresses found on the system).

    The worm listens on TCP port 4751 and sends registration information containing this port number to a remote web site. This port can be used by a remote attacker to update the worm. The uploaded file will be dropped as a random EXE filename starting with the string "bsud" into the Windows folder and executed. If the update is successful the original worm file is deleted.

    After the end of 2004 the worm will remove itself from the system.

    http://www.sophos.com/virusinfo/analyses/w32baglev.html
Thread Status:
Not open for further replies.