Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Bagle.Q@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity LOW LOW
Payload Terminates certain processes
Detection files published
Description created 18 Mar 2004 02:05:00
Description updated 02 Apr 2004 04:05:00
Malware type WORM
Alias
Spreading mechanism EMAIL
FILE_INFECTION
OTHER
Summary None

W32/Bagle.Q@mm

Spreading

n/a

Payload Details

n/a

Analysis

The following is a portion of the instant analysis done by the Lumension Sandbox Technology: [ General information ] * Attemps to open C:\WINDOWS\SYSTEM\directs.exe NULL. * Creating several executable files on hard-drive. * File length: 25600 bytes. * Total emulation cycles required: 4547276. [ Changes to filesystem ] * Creates file C:\WINDOWS\SYSTEM\directs.exe. [ Changes to registry ] * Deletes value "My AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "My AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "Zone Labs Client Ex" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "Zone Labs Client Ex" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "9XHtProtect" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "9XHtProtect" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "Antivirus" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "Antivirus" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "Special Firewall Service" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "Special Firewall Service" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "service" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "service" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "Tiny AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "Tiny AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "ICQNet" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "ICQNet" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "HtProtect" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "HtProtect" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "NetDy" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "NetDy" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "ICQ Net" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "ICQ Net" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Creates value "directs.exe"="C:\WINDOWS\SYSTEM\directs.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". [ Network services ] * Connect port 81 [DGRAM], IP 0.0.0.0. * Connect port 2556 [DGRAM], IP 0.0.0.0. [ Security issues ] * Possible backdoor functionality [UNKNOWN] port 81. * Possible backdoor functionality [UNKNOWN] port 2556

Removal

This worm was proactively detected using the Lumension Sandbox technology.


Last Updated: 12 Nov 2015 11:06:11