W32/Bagle-V

Aliases
W32.Beagle.U@mm

Type
Win32 worm

Description
W32/Bagle-V is a member of the W32/Bagle family of worms.
When first run the worm attempts to run an application called dreder.exe.

In order to run automatically when the user logs on to the computer the worm copies itself to the file sysinfo.exe in the Windows system folder and creates the following registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sysinfo.exe

W32/Bagle-V also creates the following registry entries:

HKCU\Software\Windows2005\gsed
HKCU\Software\Windows2005\fr1n

W32/Bagle-V scans all fixed drives recursively for files with extensions WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM and JSP, harvests email addresses from them and sends itself as an attachment to the addresses extracted. Email addresses belonging to the domains AVP and Microsoft are avoided.

The emails sent by the worm have an empty subject line and no message text. The attached file is called game.exe. The sender address is spoofed (chosen from addresses found on the system).

The worm listens on TCP port 4751 and sends registration information containing this port number to a remote web site. This port can be used by a remote attacker to update the worm. The uploaded file will be dropped as a random EXE filename starting with the string "bsud" into the Windows folder and executed. If the update is successful the original worm file is deleted.

After the end of 2004 the worm will remove itself from the system.

http://www.sophos.com/virusinfo/analyses/w32baglev.html