Subscribe0 0
This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.
The worm is also able to download other files from the Internet without the user's knowledge or consent.
The worm itself is a Windows PE EXE file 95369 bytes in size.
Installation
Once launched, the worm causes an error message to be displayed in order to confuse the user.
When installing, the worm copies itself as hidn2.exe to the following directory:
%UserProfile%\Application Data\hidn\hidn2.exeIt also creates a file called m_hook.sys in the same directory.
The worm creates the following entry in the system registry:
[HKCU\Software\FirstRuxzx]
"FirstRun"="dword:00000001"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"drv_st_key"="%UserProfile%\Application Data\hidn\hidn2.exe"
The worm deletes the following registry key, making it impossible to boot the victim machine in safe mode::
[HKLM\System\CurrentControlSet\Control\SafeBoot]It also creates the following files:
%SystemDrive%\error.gif%SystemDrive%\temp.zip
Propagation via email
The worm harvests addresses from files with the following extensions:
adb asp cfg cgi dbx dhtm eml htm jsp mbx mdx mht mmf msg nch ods oft php pl sht shtm stm tbb txt uin wab wsh xls xml
This Bagle variant is also able to download files which contain the email addresses of potential victims from the Internet. The worm contains the following lists of sites which it may download files from:
http://acce***le.cl/1/eml.php http://am***dy.com/1/eml.php http://avatare***atis.com/1/eml.php http://be***lu.com.tr/1/eml.php http://brand***ck.com/1/eml.php http://c-***.com.au/1/eml.php http://cam***mafra.sc.gov.br/1/eml.php http://campos***ipamentos.com.br/1/eml.php http://cbr***o.sos.pl/1/eml.php http://coparefre***s.stantonstreetgroup.com/1/eml.php http://creai***ire.com/1/eml.php http://dese***i.com.br/1/eml.php http://hotel***lba.com/1/eml.php http://inca.d***solution.net/1/eml.php http://veranm***ala.com/1/eml.php http://wkligh***azwa.pl/1/eml.php http://www.***npl.com/1/eml.php http://www.aura***.com/1/eml.php http://www.buy***ital.co.kr/1/eml.php http://www.d***.cl/1/eml.php http://www.disco***apuzzle.com/1/eml.php http://www.in***file.gr/1/eml.php http://www.tita***tors.com/images/1/eml.php http://yon***n24.co.kr/1/eml.php
It will then send itself to all email addresses contained in files downloaded from the above addresses.
The worm does not send itself to addresses which contain the following strings:
@avp. @foo @iana @messagelab abuse admin anyone@ bsd bugs@ cafee certific contract@ feste free-av f-secur gold-certs@ google help@ icrosoft info@ kasp linux listserv local news nobody@ noone@ noreply ntivi panda pgp postmaster@ rating@ root@ samples sopho spam support unix update winrar winzip
The worm uses its own SMTP engine to send infected messages.
Infected messages
Message subject (chosen from the list below):
- Alice
- Alyce
- Andrew
- Androw
- Androwe
- Annes
- Anthonie
- Anthony
- Anthonye
- Avice
- Bennet
- Bennett
- Christean
- Christian
- Constance
- Cybil
- Daniel
- Danyell
- Dorithie
- Dorothee
- Dorothy
- Edmond
- Edmonde
- Edmund
- Edward
- Edwarde
- Elizabeth
- Elizabethe
- Ellen
- Ellyn
- Emanual
- Emanuel
- Emanuell
- Ester
- Frances
- Francis
- Fraunces
- Gabriell
- Geoffraie
- George
- Grace
- Harry
- Harrye
- Henrie
- Henry
- Henrye
- Hughe
- Humphrey
- Humphrie
- Isabel
- Isabell
- James
- Jeames
- Jeffrey
- Jeffrye
- Joane
- Johen
- Josias
- Judeth
- Judith
- Judithe
- Katherine
- Katheryne
- Leonard
- Leonarde
- Margaret
- Margarett
- Margerie
- Margerye
- Margret
- Margrett
- Marie
- Martha
- Marye
- Michael
- Mychaell
- Nathaniel
- Nathaniell
- Nathanyell
- Nicholas
- Nicholaus
- Nycholas
- Peter
- Ralph
- Rebecka
- Richard
- Richarde
- Robert
- Roberte
- Roger
- Rycharde
- Samuell
- Sidney
- Sindony
- Stephen
- Susan
- Susanna
- Suzanna
- Sybell
- Sybyll
- Syndony
- Thomas
- Valentyne
- William
- Winifred
- Wynefrede
- Wynefreed
- Wynnefreede
Message body (chosen from the list below):
- I love you
The password is <5 random numbers> - To the beloved
Password -- <5 random numbers> - I love you
Use password <5 random numbers> - To the beloved
Password is <5 random numbers> - I love you
Zip password: <5 random numbers> - To the beloved
archive password: <5 random numbers>
Attachment name (chosen from the list below)
- Ales.zip
- Alice.zip
- Alyce.zip
- Andrew.zip
- Androw.zip
- Androwe.zip
- Ann.zip
- Anna.zip
- Anne.zip
- Annes.zip
- Anthonie.zip
- Anthony.zip
- Anthonye.zip
- Avice.zip
- Avis.zip
- Avis.zip
- Bennet.zip
- Bennett.zip
- Christean.zip
- Christian.zip
- Constance.zip
- Cybil.zip
- Daniel.zip
- Danyell.zip
- Dorithie.zip
- Dorothee.zip
- Dorothy.zip
- Edmond.zip
- Edmonde.zip
- Edmund.zip
- Edward.zip
- Edwarde.zip
- Elizabeth.zip
- Elizabethe.zip
- Ellen.zip
- Ellyn.zip
- Emanual.zip
- Emanuel.zip
- Emanuell.zip
- Ester.zip
- Frances.zip
- Francis.zip
- Fraunces.zip
- Gabriell.zip
- Geoffraie.zip
- George.zip
- Grace.zip
- Harry.zip
- Harrye.zip
- Henrie.zip
- Henry.zip
- Henrye.zip
- Hughe.zip
- Humphrey.zip
- Humphrie.zip
- Isabel.zip
- Isabell.zip
- James.zip
- Jane.zip
- Jeames.zip
- Jeffrey.zip
- Jeffrye.zip
- Joane.zip
- Johen.zip
- John.zip
- Josias.zip
- Judeth.zip
- Judith.zip
- Judithe.zip
- Katherine.zip
- Katheryne.zip
- Leonard.zip
- Leonarde.zip
- Margaret.zip
- Margarett.zip
- Margerie.zip
- Margerye.zip
- Margret.zip
- Margrett.zip
- Marie.zip
- Martha.zip
- Mary.zip
- Marye.zip
- Michael.zip
- Mychaell.zip
- Nathaniel.zip
- Nathaniell.zip
- Nathanyell.zip
- Nicholas.zip
- Nicholaus.zip
- Nycholas.zip
- Peter.zip
- Ralph.zip
- Rebecka.zip
- Richard.zip
- Richarde.zip
- Robert.zip
- Roberte.zip
- Roger.zip
- Rose.zip
- Rycharde.zip
- Samuell.zip
- Sara.zip
- Sidney.zip
- Sindony.zip
- Stephen.zip
- Susan.zip
- Susanna.zip
- Suzanna.zip
- Sybell.zip
- Sybyll.zip
- Syndony.zip
- Thomas.zip
- Valentyne.zip
- William.zip
- Winifred.zip
- Wynefrede.zip
- Wynefreed.zip
- Wynnefreede.zip
Hot Articles