Email-Worm.Win32.Bagle.cl

tag:E-mail Worms

0 0

This version of Bagle is unable to propagate independently. However, all other functionality indicates that it is a member of the Bagle family. This program was mass mailed using spamming technologies.

The worm itself is a PE EXE file. The packed file is 36864 bytes in size

Installation

Once launched, the worm causes the default text editing program (usually Notepad) to display an empty window.

When installing, the worm creates files called “winshost.exe” and “wiwshost.exe” in the Windows system directory:

%System%\winshost.exe
%System%\wiwshost.exe

The worm registers itself in the system registry, ensuring that it will be launched each time Windows is rebooted on the victim machine:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"winshost.exe" = "%System%\winshost.exe"

Propagation

This variant of the worm is unable to propagate independently and was mass mailed using spamming technologies. As a rule, infected messages have a blank message subject and a blank message body.

Payload

The worm incorporates a large list of URLs. The worm periodically checks these addresses, and will download any files which have been uploaded, and launch them on the victim machine. This makes it possible for the worm to update itself, and also to download other malicious programs to the victim machine.

In order to prevent antivirus and firewall software from being launched, the worm deletes the following registry keys:

[HKLM\SOFTWARE\Agnitum]
[HKLM\SOFTWARE\KasperskyLab]
[HKLM\SOFTWARE\McAfee]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\APVXDWIN]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avg7_cc]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avg7_emc]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccApp]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAV50]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfee Guardian]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfee.InstantUpdate.Monitor]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSC_UserPrompt]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client]
[HKLM\SOFTWARE\Panda Software]
[HKLM\SOFTWARE\Symantec]
[HKLM\SOFTWARE\Zone Labs]

The worm also terminates processes connected with antivirus and firewall programs.

Bagle.cl modifies the %System%\drivers\etc\hosts file, leaving only the following record:

127.0.0.1 localhost

previous:Email-Worm.Win32.Bagle.z
previous:Email-Worm.Win32.Bagle.ef

Virus Source from:

New articles

WORM_KELIHOS.SMhis worm may be downloaded from the following remote sites: http://{BLOCKED}.240.36/flash2.exe It may be downloaded from remote site(s) by the follow...Email-Worm.Win32.3DStars This is an Internet worm that spreads via e-mail as an attached EXE file. The worm itself is a Win32 executable file about 70Kb in length, and written in Visua...Email-Worm.Win32.Abotus This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is Windows PE EXE file about 18Kb of length, written in De...Email-Worm.Win32.Aliz This is a virus-worm that spreads via the Internet, attached to infected e-mails. The worm itself is a Windows PE EXE file about 4Kb in length and written in A...Email-Worm.Win32.Bagle.ef This Bagle variant is unable to replicate independently. However, all other functionality indicated that this worm is a member of the Bagle family. It was mass...

Hot Articles

Email-Worm.Win32.Bagle.cl

Installation

Propagation

Payload

Computer Virus Clounds