Home / malware Win32.Bagle.GU@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Bagle.GU@mm is also known as Email-Worm.Win32.Bagle.gs, W32.Beagle.FF@mm, W32/Bagle.KR.worm, W32/Bagle.gen.
Explanation :
This malware uses its own SMTP engine to spread as a password-protected (.zip) file attached to an email containing
- the text
"It Is Protected
Passwrd: "
- a (.gif) file showing the password for the zip attachment
The subject of the mail is one of the following:
price_new<current_date>
price_ <current_date>
price<current_date>
new <current_date>
price <current_date>
where <current_date> is of the form dd-mmm-yyyy
(example: 06-Dec-2006)
The name of the (.zip) attachment is:
price<current_date>
new_price<current_date>
price_list<current_date>
latest_price<current_date>
The malware searches destination email addresses on the computer in the following files:
.wab, .txt, .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .pl, .wsh, .adb, .tbb, .sht, .xls, .oft, .uin, .cgi, .mht, .dhtm, .jsp
but it does not send itself to addresses containing:
rating@, f-secur, news, update, anyone@, bugs@, contract@, feste, gold-certs@, help@, info@, nobody@, noone@, kasp, admin, icrosoft, support, ntivi, unix, bsd, linux, listserv, certific, sopho, @foo, @iana, free-av, @messagelab, winzip, google, winrar, samples, abuse, panda, cafee, spam, pgp, @avp, noreply, local, root@, postmaster@
Other malware actions performed:
- it has a list of 197 services that are disabled if found active. These are services of antivirus products ( of Avast, AVG, Avira, BitDefender, DrWeb, F-Prot, F-Secure, Kaspersky Antivirus, McAfee, NOD32, Norman, Norton, Panda...) , firewalls, security and monitoring tools.
- downloads to the %system%
e_file.exe file other malicious files from the internet and executes them
- deletes all the values and subkeys of the registry key
HKLMSYSTEMCurrentControlSetControlSafeboot
- drops a rootkit (m_hook.sys) that hides all the files, processes and registry keys of the malware
The hidden files are the 2 copies of the malware and the rootkit:
1) C:Documents and Settings<current_user>Application Datahidnhldrrr.exe
2) C:Documents and Settings<current_user>Application Datahidnhidn2.exe
3) C:Documents and Settings<current_user>Application Datahidnm_hook.sys,
- sets the value of the registry keys:
HKCUSoftwareMicrosoftWindowsCurrentVersionRundrv_st_key
to a copy of the malware:
C:Documents and Settings<current_user>Application Datahidnhidn2.exe
(This entry is hidden from Windows API by the rootkit.)
HKCUSoftwareFirstRuxzxFirstRu21n=1
- displays the following message (from the file C:error.txt, created by the malware) in a notepad window:
UTF-8 decoding errorLast update 21 November 2011