W32/Bagle.U@mm

Download VIRUSfighter NOW
W32/Bagle.U@mm Destructivity: Spreading: Overall risk:
  
• Detected by virus detection files published: 3/26/2004 • Type: Backdoor, Worm
• Virus characteristics first published: 3/26/2004 • Spreading mechanism: Email
• Virus characteristics latest update: 5/7/2004 • Overall risk: Medium
• Alias: Bagle.U • Payload: Backdoor
• Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista  

Virus type Spreading
mechanism 		Destructivity
and payload 		Additional
descriptions 		Detection
and removal
Email characteristics:
  • Subject: None
  • Body: None
  • Attachment: variable
When Bagle.U is executed it checks to see if it was run from %SYSTEM%\Gigabit.exe, and if not copies itself there and creates the following registry key to ensure it is started with Windows:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Gigabit.exe = %SYSTEM%\gigabit.exe"

The worm will also create the following registry keys during execution:

HKEY_CURRENT_USER\Software\Windows2004\gsed
HKEY_CURRENT_USER\Software\Windows2004\fr1n

The new copy of the worm is then executed.

If the worm was not executed from %SYSTEM%\Gigabit.exe then the following batch file is created to delete the first instance of Bagle:

:l
del %1
if exist %1 goto l
del %0 a.bat

Bagle.U will then search for e-mail addresses in files with the following extension:

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

The worm will then mail a copy of itself to all addresses found, with a blank subject line, no body text and a randomly named attachment with a .exe extension.

Bagle will not send mail to any addresses containing either @avp. or @Microsoft.
# - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z
To protect and serve, VirusFighter