Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Bagle.A@mm

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload Possible backdoor/update functionality
Detection files published 18 Jan 2004 03:00:00
Description created 19 Jan 2004 05:25:00
Description updated 20 Jan 2004 05:25:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Bagle.A@mm

Spreading

n/a

Payload Details

The worm sets up a thread on port 6777, listening for incoming connections. It is likely that this is a part of some update functionality.
There is a list of web addresses in the worm body:
http://www.elrasshop.de/1.php
http://www.it-msc.de/1.php
http://www.getyourfree.net/1.php
http://www.dmdesign.de/1.php
http://64.176.228.13/1.php
http://www.leonzernitsky.com/1.php
http://216.98.136.248/1.php
http://216.98.134.247/1.php
http://www.cdromca.com/1.php
http://www.kunst-in-templin.de/1.php
http://vipweb.ru/1.php
http://antol-co.ru/1.php
http://www.bags-dostavka.mags.ru/1.php
http://www.5x12.ru/1.php
http://bose-audio.net/1.php
http://www.sttngdata.de/1.php
http://wh9.tu-dresden.de/1.php
http://www.micronuke.net/1.php
http://www.stadthagen.org/1.php
http://www.beasty-cars.de/1.php
http://www.polohexe.de/1.php
http://www.bino88.de/1.php
http://www.grefrathpaenz.de/1.php
http://www.bhamidy.de/1.php
http://www.mystic-vws.de/1.php
http://www.auto-hobby-essen.de/1.php
http://www.polozicke.de/1.php
http://www.twr-music.de/1.php
http://www.sc-erbendorf.de/1.php
http://www.montania.de/1.php
http://www.medi-martin.de/1.php
http://vvcgn.de/1.php
http://www.ballonfoto.com/1.php
http://www.marder-gmbh.de/1.php
http://www.dvd-filme.com/1.php
http://www.smeangol.com/1.php
The worm will attempt to contact these sites with parameters describing port number it listens to and the user ID (which is a random string). The mentioned php script is however not present at any of the tested sites.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:14