Email-Worm.Win32.Bagle.b

0 0

This worm spreads via the Internet in the form of an attachment to infected emails.

The worm itself is a PE EXE file of approximately 11KB, compressed using UPX. The size of the decompressed file is approximately 16KB.

Characteristics of infected messages:

Message header:

ID x... thanks

with x being a string of random characters.

Message body:

Yours ID x
--
Thank

with x being a string of random characters.

Attachment:

The attachment has a random name, with a file size of 11KB.

Installation

Once launched, the worm copies itself to the Windows system directory under the name 'au.exe' and registers this file in the system registry auto-run key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "au.exe" = "%system%\au.exe"

Also creates the following registry key:

[HKCU\SOFTWARE\Windows2000]

and saves its variables there.

The worm attempts to connect to a number of remote sites, all of which are in some way connected with the Trojan proxy server TrojanProxy.Win32.Mitglieder.

On launching, the worm launches the Sound Recorder utility (sndrec32.exe).

Propagation

The worm searches for files with the following extensions: wab, txt, htm, html and send itself to all email addresses found in these files. The worm uses its own SMTP server to send email.

Remote administration

The worm opens and monitors port 8866. A backdoor function means that commands can then be executed and files can be downloaded on the victim computer, with all of this being done from a remote location:

Other

The worm is programmed to stop propagating after 25th February 2004.