Win32.Bagle.A@mm

( none )

SYMPTOMS:

-presence of the bbeagle.exe file in %sysdir%
-presence of the following registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe with value %sysdir%\bbeagle.exe
HKCU\Software\Windows98\frun with value 1
HKCU\Software\Windows98\uid with value a random generated number.

TECHNICAL DESCRIPTION:

This is an Internet worm that is spreading trough e-mail.
It arrives in the following format:

Subject:
Hi

Body:
Test =)
%randomstring%

Test, yep.

Attachment:
%randomstring%.exe

where %randomstring% is a randomly generated string.

When the user opens the attachment the worm copies itself in %sysdir% under the name bbeagle.exe and it adds the following registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe with value:
%sysdir%\bbeagle.exe
and
HKCU\Software\Windows98\frun with value 1
HKCU\Software\Windows98\uid with value a random generated number.

Note:
%sysdir% represents the windows system directory (usually c:\windows\system).

After this the worm executes calc.exe and it starts searching for e-mails in files with the following extensions:
*.wab
*.txt
*.htm
*.html

After it gathers the e-mail addresses it tries to send itself to all the e-mail addresses it found.
The worm starts a thread that listens for connections from a remote machine. This connection it is used for downloading a file and executing it. This is a possible auto update mechanism.
Then it sends a notification message to a list of 36 web sites. The message contains information for about the infected computer. This information will be used for uploading other executable files to the infected computers.

Removal instructions:

Let BitDefender delete the infected files it finds

ANALYZED BY:

Sorin Victor Dudea