Email-Worm.Win32.Bagle.ef
| Alert Level : | Medium |
| Discovered: | Nov 03 2005 |
| Tag: | E-mail Worms |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This Bagle variant is unable to replicate independently. However, all other functionality indicated that this worm is a member of the Bagle family. It was mass mailed using spamming technologies.
The worm arrives as an attachment to infected messages. The attachment is a ZIP file approximately 5KB in size. The ZIP archive contains the worm file, which is called "t_535475.exe". This PE EXE file is 13312 bytes in size.
Installation
Once launched, the worm copies itself to the system directory as “hloader_exe.exe”:
%System%\hloader_exe.exe
It registers this file in the system registry, ensuring that the worm will be launched each time Windows is rebooted on the victim machine.
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "auto_hloader_key" = "%System%\hloader_exe.exe"
The worm also creates a file named “hleader_dll.dll”, 8192 bytes in size, in the Windows directory:
%System%\hleader_dll.dll
Propagation
Bagle.ef is unable to replicate independently, and was distributed by mass mailing using spamming technologies.
Payload
The .dll file created by the worm contains a long list of URLs, which the worm checks periodically for the presence of files.
If a file is placed on any of these URLs, the worm will download it and launch it on the victim machine. This enables the worm to update itself or install other malicious programs on the victim machine. The list of URLs is as follows:
http://1st-new-orleans-hotels.com http://202.44.52.38 http://209.126.128.203 http://25kadr.org http://65.108.195.73 http://757555.ru http://80.146.233.41 http://abtechsafety.com http://abtechsafety.com http://acentrum.pl http://adavenue.net http://adoptionscanada.ca http://adventecgroup.com http://africa-tours.de http://agenciaspublicidadinternet.com http://ahava.cafe24.com http://aibsnlea.org http://aikidan.com http://ala-bg.net http://alevibirligi.ch http://alfaclassic.sk http://allanconi.it http://allinfo.com.au http://americasenergyco.com http://amerykaameryka.com http://amistra.com http://analisisyconsultoria.com http://av2026.comex.ru http://calamarco.com http://ccooaytomadrid.org http://charlies-truckerpage.de http://drinkwater.ru http://eleceltek.com http://furdoszoba.info http://home.1000km.ru http://kepter.kz http://lifejacks.de http://mijusungdo.net http://oklens.co.jp http://phrmg.org http://s89.tku.edu.tw http://sacafterdark.net http://sarancha.ru http://template.nease.net http://tkdami.net http://virt33.kei.pl http://wunderlampe.com http://www.8ingatlan.hu http://www.a2zhostings.com http://www.abavitis.hu http://www.adamant-np.ru http://www.agroturystyka.artneo.pl http://www.americarising.com http://www.aro-tec.com http://www.barth.serwery.pl http://www.bmswijndepot.com http://www.etwas-mode.de http://www.leap.co.il http://www.OTT-INSIDE.de http://www.rewardst.com http://www.stanislawkowalczyk.netstrefa.com http://www.timecontrol.com.pl http://www.ubu.pl
The worm creates a folder named “exefld” in the Windows root directory, and saves files which it downloads in this folder.
0
Removal Email-Worm.Win32.Bagle.ef instructions:
0
Need help? Live computer support via remote at SupportSpace |
