Win32.Bagle.B@mm

SYMPTOMS:

- Presence of the next files in %SYSTEM% folder:

AU.EXE (11,264 bytes)

- Presence of the next registry keys:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"au.exe"="%SYSTEM%\au.exe"

[HKEY_CURRENT_USER\Software\Windows2000]
with the entries gid and frn


where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.

TECHNICAL DESCRIPTION:

It arrives in an e-mail, formatted like this:

From: (spoofed address, could be anything)
Subject: ID %random_letters%... thanks
Body:
Yours ID %random_letters%
--
Thank
Attachment: %random_letters%.exe (11,264 bytes)

Example:

Subject: ID ldksy... thanks
Body:
Yours ID rnhyijwo
--
Thank

Attachment: jeqcnfmbiv.exe (11,264 bytes)


When run, the virus launches sndrec32.exe (Sound Recorder from Windows)

Then, it starts searching for e-mails in files with the following extensions:

wab txt htm html

Then, it tries to send itself to all the e-mail addresses found, in the e-mail format described above.
It sends a notification message to a list of web sites; the message contains information about the infected computer.
This information could be used for uploading other executable files to the infected computers.

The worm starts a thread that listens for connections from a remote machine.
This connection it is used for downloading a file and executing it, and it may be used as an auto update mechanism.

Removal instructions:

ANALYZED BY:

Patrik Vicol BitDefender Virus Researcher