Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Bagle.R@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity LOW LOW
Payload
Detection files published
Description created 18 Mar 2004 02:15:00
Description updated 02 Apr 2004 01:15:00
Malware type WORM
Alias
Spreading mechanism EMAIL
FILE_INFECTION
OTHER
Summary None

W32/Bagle.R@mm

Spreading

n/a

Payload Details

n/a

Analysis

[ General information ] * Attemps to open C:\WINDOWS\SYSTEM\direct.exe NULL. * Creating several executable files on hard-drive. * File length: 25600 bytes. * Total emulation cycles required: 4540790. [ Changes to filesystem ] * Creates file C:\WINDOWS\SYSTEM\direct.exe. [ Changes to registry ] * Deletes value "My AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "My AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "Zone Labs Client Ex" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "Zone Labs Client Ex" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "9XHtProtect" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "9XHtProtect" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "Antivirus" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "Antivirus" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "Special Firewall Service" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "Special Firewall Service" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "service" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "service" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "Tiny AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "Tiny AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "ICQNet" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "ICQNet" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "HtProtect" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "HtProtect" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "NetDy" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "NetDy" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "ICQ Net" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "ICQ Net" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Creates value "direct.exe"="C:\WINDOWS\SYSTEM\direct.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". [ Network services ] * Connect port 81 [DGRAM], IP 0.0.0.0. * Connect port 2556 [DGRAM], IP 0.0.0.0. [ Security issues ] * Possible backdoor functionality [UNKNOWN] port 81. * Possible backdoor functionality [UNKNOWN] port 2556.

Removal

This worm was proactively detected using the Lumension Sandbox technology.


Last Updated: 12 Nov 2015 11:06:12