Home / malwarePDF  

Win32.Bagle.V@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Win32.Bagle.V@mm.

Explanation :

When the worm is executed for the first time, it checks the system date and does not proceed if it is later than the year2005 . Then it copies itself in the %SYSTEM% folder under the name "sysinfo.exe" and schedules itself to be run at every system startup. If the program is run from the command line with the option "-upd", the worm attempts to run the âÂŒ dreder.exeâ–  program to update itself.

Then, the worm tries to advertise its presence by connecting to http://www.werde.de/5.php, using a specific name and password.

The worm then starts to look for e-mail addresses by recursively searching through directories for files with the
â–’.wab', '.txt', '.msg', '.htm', '.shtm', '.stm', '.xml', '.dbx', '.mbx', '.mdx', '.eml', '.nch', '.mmf', '.ods', '.cfg', '.asp', '.php', '.pl', '.wsh', '.adb', '.tbb', '.sht', '.xls', '.oft', '.uin', '.cgi', '.mht', '.dhtm', '.jsp' extensions, and collecting addresses from these files.

It then sends itself to the harvested addresses, unless the target's domain name contains âÂŒ avpâ–  or âÂŒ microsoftâ– ; the infected attachment is always called "game.exe".

Last update 21 November 2011

 

TOP