FRISK Software International


Summary of W32/Bagle.DI@mm
Discovered: 15 Dec 2005
Definition files: 15 Dec 2005
Risk Level: Medium
Distribution:Medium
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Bagle.DI is a mass mailing worm that has its own SMTP engine. It tries to download files from multiple URLs, some of which contain a list of e-mail addresses while others contain other malware that the worm runs.


Technical Description
The worm copies itself to %WINDIR%\system32\wind2ll2.exe.

Adds the value:

"erfgddfk" = "%WINDIR%\system32\wind2ll2.exe"

to the registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n]

and tries to delete the values:

"My AV"
"Zone Labs Client Ex"
"9XHtProtect"
"Antivirus"
"Special Firewall Service"
"service"
"Tiny AV"
"ICQNet"
"HtProtect"
"NetDy"
"Jammer2nd"
"FirewallSvr"
"MsInfo"
"SysMonXP"
"EasyAV"
"PandaAVEngine"
"Norton Antivirus AV"
"KasperskyAVEng"
"SkynetsRevenge"
"ICQ Net"

from the same keys.

Tries to download files from a list of URLs to

%WINDIR%\re_file.exe

and, if successful, executes the downloaded file.

Tries to download files from a list of URLs to

%WINDIR%\eml.exe

Sends an e-mail with a zipped copy of the W32/Mitglieder.GV Trojan attached.

Avoids sending e-mail to addresses containing any of these subsrings:

@eerswqe
@derewrdgrs
@microsoft
rating@
f-secur
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
admin
icrosoft
support
ntivi
linux
listserv
certific
sopho
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
@avp.
noreply
local
root@
postmaster@


Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is