Home / malware Win32.Bagle.U@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Bagle.U@mm is also known as W32.Beagle.U@mm, W32/Bagle-U.
Explanation :
It arrives in an e-mail in the following format:
Subject:
none
Body:
none
Attachment:
randomstring.exe
If the user opens the attachment the worm copies itself in the %SYSDIR% folder
under the name gigabit.exe
It adds the following registry key:
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
"Gigabit.exe"="%SYSDIR%\gigabit.exe"
It starts mshearts.exe
It waits for connections on port 4751. This port is used for uploading and executing a file.
It searches for e-mail addresses in the following file types:
.wab, .txt, .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx, .mdx, .eml,
.nch, .mmf, .ods, .cfg, .asp, .php, .pl, .wsh, .adb, .tbb, .sht, .xls, .oft
.uin, .cgi, .mht, .dhtm, .jsp
and it sends itself to all the e-mails it finds in the same format it arrives.
It avoids sending itself to e-mail addresses containing the following strings:
@avp
@microsoft
It sends some information to a web page.
The worm stop spreading after 01.01.2005Last update 21 November 2011
