W32/Bagle.R@mm

Download VIRUSfighter NOW
W32/Bagle.R@mm Destructivity: Spreading: Overall risk:
  
• Detected by virus detection files published: 3/18/2004 • Type: Virus, Worm
• Virus characteristics first published: 3/18/2004 • Spreading mechanism: Email, File Infection, Other
• Virus characteristics latest update: 5/7/2004 • Overall risk: Medium
• Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista  

Virus type Spreading
mechanism 		Destructivity
and payload 		Additional
descriptions 		Detection
and removal

The following is a portion of the instant analysis done by the Norman Sandbox Technology:

 [ General information ]
    * Attemps to open C:\WINDOWS\SYSTEM\direct.exe NULL.
    * Creating several executable files on hard-drive.
    * File length:        25600 bytes.
    * Total emulation cycles required:      4540790.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM\direct.exe.

 [ Changes to registry ]
    * Deletes value "My AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "My AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Zone Labs Client Ex" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Zone Labs Client Ex" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "9XHtProtect" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "9XHtProtect" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Antivirus" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Antivirus" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Special Firewall Service" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Special Firewall Service" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "service" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "service" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Tiny AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Tiny AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "ICQNet" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "ICQNet" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "HtProtect" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "HtProtect" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "NetDy" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "NetDy" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "ICQ Net" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "ICQ Net" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Creates value "direct.exe"="C:\WINDOWS\SYSTEM\direct.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".

 [ Network services ]
    * Connect port 81 [DGRAM], IP 0.0.0.0.
    * Connect port 2556 [DGRAM], IP 0.0.0.0.

 [ Security issues ]
    * Possible backdoor functionality [UNKNOWN] port 81.
    * Possible backdoor functionality [UNKNOWN] port 2556.

 

 Write-up by Trygve Brox  

# - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z
To protect and serve, VirusFighter