Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Bagle.B@mm

Overview

Threat Risk HIGH HIGH
Destructivity MEDIUM MEDIUM
Payload Backdoor functionality
Detection files published 16 Feb 2004 03:00:00
Description created 17 Feb 2004 05:06:00
Description updated 18 Feb 2004 01:14:00
Malware type WORM
Alias W32/Tanx.A
Spreading mechanism EMAIL
Summary None

W32/Bagle.B@mm

Spreading

When executed, this worm will first check whether current date is later than Feb. 25th 2004. If it is, it just quits and does nothing.
If the date is earlier or equal, it copies itself to the Windows system directory using the name AU.EXE, and installs itself in the registry to be run from startup.
After this it will normally invoke the sound recorder application SNDREC32.EXE, however this will not happen if the worm starts as result of an update process or if it is started from the System directory.
It harvests email addresses from *.wab, *.htm, *.html and *.txt files found on the local hard drives and uses these when composing emails.
The worm creates the following registry entries:
HKCUSoftwareMicrosoftWindows
   CurrentVersionRun au.exe = [SYSTEM]au.exe
HKCUSoftwareWindows2000 gid=[random number]
HKCUSoftwareWindows2000 frn=1
Every 10000’th second (every 2.7 hr) it will attempt to contact the web sites below with port number listened to and the infected user’s ID number as parameters.
http://www.47df.de/wbboard/1.php
http://www.strato.de/1.php
http://intern.games-ring.de/1.php
http://www.strato.de/2.php

Payload Details

The worm installs a listen on port 8866, and will allow a hacker to upload and execute a file through this port.

Analysis

n/a

Removal

This worm was proactively detected by the Lumension Sandbox technology as W32/Malware.


Last Updated: 12 Nov 2015 11:06:15