Discussion in 'malware problems & news' started by Marianna, Mar 29, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Apr 23, 2002
    B.C. Canada

    Win32 worm

    W32/Bagle-V is a member of the W32/Bagle family of worms.
    When first run the worm attempts to run an application called dreder.exe.

    In order to run automatically when the user logs on to the computer the worm copies itself to the file sysinfo.exe in the Windows system folder and creates the following registry entry:


    W32/Bagle-V also creates the following registry entries:


    W32/Bagle-V scans all fixed drives recursively for files with extensions WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM and JSP, harvests email addresses from them and sends itself as an attachment to the addresses extracted. Email addresses belonging to the domains AVP and Microsoft are avoided.

    The emails sent by the worm have an empty subject line and no message text. The attached file is called game.exe. The sender address is spoofed (chosen from addresses found on the system).

    The worm listens on TCP port 4751 and sends registration information containing this port number to a remote web site. This port can be used by a remote attacker to update the worm. The uploaded file will be dropped as a random EXE filename starting with the string "bsud" into the Windows folder and executed. If the update is successful the original worm file is deleted.

    After the end of 2004 the worm will remove itself from the system.

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.