Win32.Bagle.{AQ,AR}@mm

( W32.Beagle.AQ@mm (NAV) )

SYMPTOMS:

Presence of "windll.exe", "windll.exeopen" and "windll.exeopenopen" in %system% (e.g. C:\Windows\System32) folder and "windll.exe" in processes list.

The registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n" containing the string "erthgdr" which points to "%system%\windll.exe".
Presence of the registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru1n".

TECHNICAL DESCRIPTION:

* spreads using both email, arriving in infected attachments as zip archive, and using a number of P2P programs

* scans recursively for email addresses

* the following file types are scanned for email addresses:
.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp


* copies itself in all directories containing  "shar" in their names with the following names:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

* avoids sending itself to addresses containing:
@eerswqe
@derewrdgrs
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

Removal instructions:

N/A

ANALYZED BY:

BitDefender Antivirus Research Team