Subscribe0 0
This new member of the Bagle family closely resembles it's predecessor, Bagle.s. Infected emails also have empty subjects and message bodies. In Bagle.t the attachment is 8208 bytes in size. Bagle.t is compressed by FSG and the unpacked file is about 37KB in size.
This e-mail worm is relatively simple compared to most of the other members in the Bagle family, leading to the suspicion it may have been written by a different group, with access to the Bagle sources.
Infected messages have the following characteristics:
Sender address:
random
Subject:
none
Body:
empty
Attachment name:
game
Attachment file type:
.exe
Installation
When executed, Bage.t copies itself in to the Windows system directory under the name "sysinfo.exe" and register itself to be run during system startup. It will also create a registry key named:
[HKEY_CURRENT_USER\SOFTWARE\Windows2005]
and register a backdoor on port 4751, which can be used to install new malware in the system.
Propagation
Just like Bagle.s, this variant will not spread if the system date is any year later than 2004.
During all of 2004 Bagle.t will begin to extract e-mail addresses from various files from the disk and start mailing itself to these. Targeted file extensions are: .wab .txt .msg .htm .shtm .stm .xml .dbx .mbx .mdx .eml .nch .mmf .ods .cfg .asp .php .wsh .adb .tbb .sht .xls .oft .uin .cgi .mht .dhtm .jsp.
While spreading, infected e-mails will not be sent to addresses containing '@avp.' and '@microsoft'.
Other
Bagle.t tries to report infections by accessing a URL on the site "www.werde.de" with some specific parameters which the virus-writer supposedly can later query. At the time of writing, the URL seems to have been taken down.
To mask the system infection under an apparent useful action, the worm will attempt to execute a file named dreder.exe, which doesn't exist by default in standard Windows installations.
Hot Articles