Home / malware Win32.Bagle.B@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Bagle.B@mm.
Explanation :
It arrives in an e-mail, formatted like this:
From: (spoofed address, could be anything)
Subject: ID %random_letters%... thanks
Body:
Yours ID %random_letters%
--
Thank
Attachment: %random_letters%.exe (11,264 bytes)
Example:
Subject: ID ldksy... thanks
Body:
Yours ID rnhyijwo
--
Thank
Attachment: jeqcnfmbiv.exe (11,264 bytes)
When run, the virus launches sndrec32.exe (Sound Recorder from Windows)
Then, it starts searching for e-mails in files with the following extensions:
wab txt htm html
Then, it tries to send itself to all the e-mail addresses found, in the e-mail format described above.
It sends a notification message to a list of web sites; the message contains information about the infected computer.
This information could be used for uploading other executable files to the infected computers.
The worm starts a thread that listens for connections from a remote machine.
This connection it is used for downloading a file and executing it, and it may be used as an auto update mechanism.Last update 21 November 2011
