Home / malwarePDF  

Win32.Bagle.A@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Bagle.A@mm is also known as none.

Explanation :

This is an Internet worm that is spreading trough e-mail.
It arrives in the following format:

Subject:
Hi

Body:
Test =)
%randomstring%

Test, yep.

Attachment:
%randomstring%.exe

where %randomstring% is a randomly generated string.

When the user opens the attachment the worm copies itself in %sysdir% under the name bbeagle.exe and it adds the following registry keys:
HKCUSoftwareMicrosoftWindowsCurrentVersionRund3dupdate.exe with value:
%sysdir%beagle.exe
and
HKCUSoftwareWindows98frun with value 1
HKCUSoftwareWindows98uid with value a random generated number.

Note:
%sysdir% represents the windows system directory (usually c:windowssystem).

After this the worm executes calc.exe and it starts searching for e-mails in files with the following extensions:
*.wab
*.txt
*.htm
*.html

After it gathers the e-mail addresses it tries to send itself to all the e-mail addresses it found.
The worm starts a thread that listens for connections from a remote machine. This connection it is used for downloading a file and executing it. This is a possible auto update mechanism.
Then it sends a notification message to a list of 36 web sites. The message contains information for about the infected computer. This information will be used for uploading other executable files to the infected computers.

Last update 21 November 2011

 

TOP