|
|
|
|
| Virus Encyclopedia |  |
Riskware | |
Alerts | |
Analysis | |
News | |
Glossary | |
Weblog |
 |
| ||||||
|
| ||||||
|
| ||||||
| |||||||||||
Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Email Worms
Email-Worm.Win32.Bagle.gtOther versions: .a, .aa, .ah, .ai, .al, .an, .ao, .as, .at, .au, .ax, .ay, .b, .bb, .bj, .bn, .bo, .c, .cc, .ch, .cl, .cy, .d, .da, .dx, .e, .eb, .ef, .eg, .ek, .f, .fb, .fj, .fm, .fy, .gm, .i, .j, .k, .l, .m, .n, .p, .q, .r, .s, .t, .y, .z
This worm spreads via the Internet as an attachment to infected messages. Infected messages will be sent to all email addresses harvested from the victim machine. The worm is also able to download other files from the Internet without the knowledge or consent of the user. The worm itself is a PE EXE file. The file is 40,565 bytes in size. InstallationDuring installation, the worm creates the following hidden file: %Documents and Settings%\Application Data\hidn It then copies its body to this folder under the following names: %Documents and Settings%\Application Data\hidn\hidn2.exe %Documents and Settings%\Application Data\hidn\hldrrr.exe The worm also adds a link to its executable file in the system registry, ensuring that it will be launched when Windows is rebooted on the victim machine: [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "drv_st_key" = "%Documents and Settings%\Application Data\hidn\hidn2.exe" The worm deletes the following registry key, making it impossible to boot the infected computer in Safe Mode: [HKLM\System\CurrentControlSet\Control\SafeBoot] Propagation via emailThe worm scans all hard disk partitions for files with the following extensions. Email addresses will be harvested from these files. .adb .asp .cfg .cgi .dbx .dhtm .eml .htm .jsp .mbx .mdx .mht .mmf .msg .nch .ods .oft .php .pl .sht .shtm .stm .tbb .txt .uin .wab .wsh .xls .xml The worm is also able to download files from the Internet which contain email addresses. It will download such files from the following links: http://acce***le.cl/1/eml.php http://am***dy.com/1/eml.php http://avatare***atis.com/1/eml.php http://be***lu.com.tr/1/eml.php http://brand***ck.com/1/eml.php http://c-***.com.au/1/eml.php http://cam***mafra.sc.gov.br/1/eml.php http://campos***ipamentos.com.br/1/eml.php http://cbr***o.sos.pl/1/eml.php http://coparefre***s.stantonstreetgroup.com/1/eml.php http://creai***ire.com/1/eml.php http://dese***i.com.br/1/eml.php http://hotel***lba.com/1/eml.php http://inca.d***solution.net/1/eml.php http://veranm***ala.com/1/eml.php http://wkligh***azwa.pl/1/eml.php http://www.***npl.com/1/eml.php http://www.aura***.com/1/eml.php http://www.buy***ital.co.kr/1/eml.php http://www.d***.cl/1/eml.php http://www.disco***apuzzle.com/1/eml.php http://www.in***file.gr/1/eml.php http://www.tita***tors.com/images/1/eml.php http://yon***n24.co.kr/1/eml.php A file downloaded from these links will be saved to the Windows temporary directory: %WinDir%\elist.xpt The worm sends itself to all email addresses in the downloaded file. The worm will not send itself to email addresses which contain the following strings: @avp. @foo @iana @messagelab abuse admin anyone@ bsd bugs@ cafee certific contract@ feste free-av f-secur gold-certs@ google help@ icrosoft info@ kasp linux listserv local news nobody@ noone@ noreply ntivi panda pgp postmaster@ rating@ root@ samples sopho spam support unix update winrar winzip The worm uses its own SMTP engine to send infected messages. Infected messages:Attachment name (chosen at random from the list below):latest_price.zip new_price.zip price.zip
The worm contains a list of URLs, which will be checked for the presence of files: http://5050clothing.com*** http://axelero.hu*** http://calamarco.com*** http://ceramax.co.kr*** http://charlesspaans.com*** http://chatsk.wz.cz*** http://checkalertusa.com*** http://cibernegocios.com.ar*** http://cof666.shockonline.net*** http://comaxtechnologies.net*** http://concellodesandias.com*** http://dev.jintek.com*** http://dogoodesign.ch*** http://donchef.com*** http://erich-kaestner-schule-donaueschingen.de*** http://foxvcoin.com*** http://grupdogus.de*** http://hotchillishop.de*** http://ilikesimple.com*** http://innovation.ojom.net*** http://kisalfold.com*** http://knickimbit.de*** http://kremz.ru*** http://massgroup.de*** http://poliklinika-vajnorska.sk*** http://prime.gushi.org*** http://svatba.viskot.cz*** http://systemforex.de*** http://uwua132.org*** http://vanvakfi.com*** http://vega-sps.com*** http://vidus.ru*** http://viralstrategies.com*** http://Vivamodelhobby.com*** http://vkinfotech.com*** http://vproinc.com*** http://v-v-kopretiny.ic.cz*** http://vytukas.com*** http://waisenhaus-kenya.ch*** http://watsrisuphan.org*** http://wbecanada.com*** http://web-comp.hu*** http://webfull.com*** http://welvo.com*** http://wvpilots.org*** http://www.ag.ohio-state.edu*** http://www.ag.ohio-state.edu*** http://www.chapisteriadaniel.com*** http://www.chittychat.com*** http://www.cort.ru*** http://www.crfj.com*** http://www.kersten.de*** http://www.kljbwadersloh.de*** http://www.voov.de*** http://www.walsch.de*** http://www.wchat.cz*** http://www.wg-aufbau-bautzen.de*** http://www.wzhuate.com*** http://xotravel.ru*** http://yeniguntugla.com*** http://zebrachina.net*** http://zsnabreznaknm.sk*** If a file is found at any of these addresses, it will be downloaded to the victim machine: %System%\re_file.exe The file will then be launched for execution.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
| |||||||||||
Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
Email: webmaster@viruslist.com
