Win32.Bagle.B@mm
SYMPTOMS: - Presence of the next files in %SYSTEM% folder:AU.EXE (11,264 bytes) - Presence of the next registry keys: [HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run] \"au.exe\"=\"%SYSTEM%\\au.exe\" [HKEY_CURRENT_USER\\Software\\Windows2000] with the entries gid and frn where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems) %SYSTEM% points to \"System\" folder on Windows 9x systems and \"System32\" folder on WinNT systems. TECHNICAL DESCRIPTION: It arrives in an e-mail, formatted like this:From: (spoofed address, could be anything) Subject: ID %random_letters%... thanks Body: Yours ID %random_letters% -- Thank Attachment: %random_letters%.exe (11,264 bytes) Example: Subject: ID ldksy... thanks Body: Yours ID rnhyijwo -- Thank Attachment: jeqcnfmbiv.exe (11,264 bytes) When run, the virus launches sndrec32.exe (Sound Recorder from Windows) Then, it starts searching for e-mails in files with the following extensions: wab txt htm html Then, it tries to send itself to all the e-mail addresses found, in the e-mail format described above. It sends a notification message to a list of web sites; the message contains information about the infected computer. This information could be used for uploading other executable files to the infected computers. The worm starts a thread that listens for connections from a remote machine. This connection it is used for downloading a file and executing it, and it may be used as an auto update mechanism. Removal instructions: ANALYZED BY: Patrik VicolBitDefender Virus Researcher |
