W32/Bagle-F

Discussion in 'malware problems & news' started by Marianna, Feb 29, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Aliases
    I-Worm.Bagle.f

    Type
    Win32 worm

    Description
    W32/Bagle-F is an email worm which sends itself via its own SMTP engine to addresses harvested from your hard disk.
    The worm copies itself to the Windows system folder as I1RU54N.EXE and creates the following files in the same folder:

    II5NJ4.EXE - a DLL plugin used to load GO54O.EXE
    GO54O.EXE - the main DLL component of the worm
    I1RU54N4.EXEOPEN - an exact copy of the worm or a copy of the worm in ZIP format

    W32/Bagle-F adds the value:

    rate.exe = <SYSTEM>\i1ru54n4.exe

    to the registry key:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    This means that W32/Bagle-F runs every time you logon to your computer.

    W32/Bagle-F also creates the following registry entry:

    HKCU\Software\DateTime4\frun=1

    W32/Bagle-F also drops several copies of itself in the following folder:

    Program files\Common files\Microsoft shared

    A more detailed description will follow shortly.

    http://www.sophos.com/virusinfo/analyses/w32baglef.html
     
Thread Status:
Not open for further replies.