WORM_BAGLE.GS
By sm | December 4, 2006
This worm arrives on a system as an attachment to a spammed email message. The said email message contains a password-protected .ZIP file which contains this worm, as well as a binary file with a DLL extension.
Upon execution, it drops the following files in the HIDN folder, which it creates in the %Application Data% folder:
* HIDN2.EXE - copy of itself
* HLDRRR.EXE - copy of itself
* M_HOOK.SYS - detected as TROJ_ROOTSERV.A
(Note: %Application Data% is the current user’s Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)
It creates the following registry entry to ensure its automatic execution at every Windows startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
drv_st_key = “%Application Data%\hidn\hidn2.exe”
It also creates the following registry key and entry as part of its installation routine:
HKEY_CURRENT_USER\SOFTWARE\FirstRuxzx
FirstRu21n = “dword:00000001″
Propagation via Email
This worm propagates by sending copies of itself as an attachment to email messages that it sends to target IP addresses using its own Simple Mail Transfer Protocol (SMTP) engine. Through the said SMTP engine, it is able to easily send email messages even without using other mailing applications, such as Microsoft Outlook.
Below is a sample of the email message that it sends out:
Subject: (any of the following)
• price_new{current date}
• price_{current date}
• price
Message body: (any of the following)
• It Is Protected
• thank you !!!
• New year’s discounts
Attachment: (any of the following)
• new_price{date today}.zip
• price_list{date today}.zip
• latest_price{date today}.zip
The .ZIP file contains a non-malicious randomly-named .DLL file and a malicious .EXE file. The said .ZIP file is password-protected. Hence, the malicious .EXE file is not detected until extracted by the recipient.
Source
Technorati Tags: Virus, Malware, WORM_BAGLE.GS
Stumble it!
Sphere: Related Content
Topics: Security & Antivirus Talk |
« Psiphon Download | Home | Liverpool negotiations with state-owned Dubai International Capital (DIC) »
Small-News Widgets
Download the Small-News.com Yahoo Widget, and NEVER miss a Breaking News
Download
Quote of the Day
April 22, 2008
Men often hate each other because they fear each other; they fear each other because they don’t know each other; they don’t know each other because they can not communicate; they can not communicate because they are separated.Martin Luther King, Jr.
Comments are closed.
Tag:2daydeals Apple Apple Mac OS X BBC Books Breaking News britney_spears bush Business Daw Aung San Suu Kyi Entertainment Google Health Internet iPhone iPod Junta kevin_federline Leopard MAC MacBook+Air Mac OS X Leopard Microsoft MSN Music Myanmar News OS X P2P Politics pop_star pro-democracy san Suu Kyi Science Small+News Small News Taliban Technology UK US Verizon Video World News Yahoo YouTube
Recent Posts
Categories
Most Viewed
- Great Pyramid Mystery ‘Solved’ - 1,196 views
- Trojan Horse | Infostealer.Gampass - 1,082 views
- Powerful Earthquake Hits Jakarta |Sky News|World News - 986 views
- IBM releases 4.7 GHz Power6 processor - 955 views
- Televangelist Juanita Bynum Assaulted by Husband - Local News | News Articles | National News | US News - 936 views
Amazon Yahoo Widget
Technorati
Polls
Loading ...
Amazon UK
Nowpublic
NettingNews.com
Nowzon
SmallNews(9hts)
- An error has occurred; the feed is probably down. Try again later.
creativecommons
Technorati
63 queries. 8.913 seconds.We Bring You all the News in Short Words.
