i-worm.bagle.-def8
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
I-Worm.Bagle.s
Bagle.s is an Internet worm spreading as an attachment to infected emails.
The worm is a PE exe file about 8 KB in size. Bagle.s is compressed by FSG and the unpacked file is about 37KB in size.
Infected messages have the following characteristics:
Sender address:
random
Subject:
none
Body:
empty
Attachment name:
random characters
Attachment file type:
.exe
Installation
After launch Bagle.s copies itself into the Windows system registry as gigabit.exe and registers this file in the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gigabit.exe" = "%system%\gigabit.exe"
Bagle.s then creates the key:
[SOFTWARE\Windows2004]
"gsed"
where it stores it's variables.
Bagle.s also launches mshearts.exe - The Miscrosoft Hearts Network.
Finally, Bagle.s attempts to connect to several remote sites and store id information from the infected machine on these sites.
Propagation
Bagle.s searches disks for files with the following extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml
and sends copies of itself to all email addresses detected in these files using an inbuilt SMTP-engine.
Remote Administration
Bagle.s opens and monitors port 4751. The inbuilt backdoor function allows the master to:
Execute commands
Download files
Copyright @2006 i-worm.bagle.-def8