Home / malware Win32.Bagle.{CU,FG,GL,GU}@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Bagle.{CU,FG,GL,GU}@mm is also known as Email-worm.Win32.Bagle,Win32/Bagle,Win32.HLLM.Beagle.
Explanation :
After executing the virus it copyes itself to %documents_and_settings%\(current user)\Application Data\hidn\hidn2.exe (Win32.Bagle.FG@mm) , %documents_and_settings%\(current user)\Application Data\hidn\hidn1.exe (Win32.Bagle.GL@mm) or %documents_and_settings%\(current user)\Application Data\hidn\hldrrr.exe (Win32.Bagle.GU@mm) and also drops %documents_and_settings%\(current user)\Application Data\hidn\m_hook.sys that hides the hidn directory and the files in it. and also the processes contaning the "hidn" word.
%documents_and_settings% is the Doccuments and Settings folder usually located in C:\
(current user) is the name of the current logged on user.
It also adds the following entry HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drv_st_key so that it will be automatically started at windows startup and creates the key HKCU\Software\FirstRuxzx\FirstRun
After that the worm tries to find mail addresses by searching files in the infected computer. It then sends mail from spoofed addresses to the found mail addresses (with some exceptions). the mail contains a zip attachement with a random generated numeric password which is displayed as a gif file in the mail.
The worm also tries to terminate a list o processes and services that are ralated to security products and previous versions of itself. It also tries to download new versions from a preconfigured list of sites.Last update 21 November 2011