Win32.Bagle.U@mm

( W32.Beagle.U@mm, W32/Bagle-U )

SYMPTOMS:

- Presence of the following file in %SYSDIR% folder:
%SYSDIR%\gigabit.exe


- Presence of the following registry key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Gigabit.exe"="%SYSDIR%\\gigabit.exe"

Where %SYSDIR% is the SYSTEM folder (usually C:\WINDOWS\SYSTEM)

TECHNICAL DESCRIPTION:

It arrives in an e-mail in the following format:
Subject:
none
Body:
none
Attachment:
randomstring.exe

If the user opens the attachment the worm copies itself in the %SYSDIR% folder
under the name gigabit.exe
It adds the following registry key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Gigabit.exe"="%SYSDIR%\\gigabit.exe"

It starts mshearts.exe

It waits for connections on port 4751. This port is used for uploading and executing a file.

It searches for e-mail addresses in the following file types:
.wab, .txt, .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx, .mdx, .eml,
.nch, .mmf, .ods, .cfg, .asp, .php, .pl, .wsh, .adb, .tbb, .sht, .xls, .oft
.uin, .cgi, .mht, .dhtm, .jsp
and it sends itself to all the e-mails it finds in the same format it arrives.

It avoids sending itself to e-mail addresses containing the following strings:
@avp
@microsoft

It sends some information to a web page.

The worm stop spreading after 01.01.2005

Removal instructions:

Let BitDefender delete the infected files.

ANALYZED BY:

Sorin Victor Dudea Bitdefender AntiVirus Researcher