Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Bagle.U@mm


Destructivity MEDIUM MEDIUM
Payload Backdoor
Detection files published
Description created 26 Mar 2004 01:29:00
Description updated 26 Mar 2004 01:29:00
Malware type WORM
Spreading mechanism EMAIL
Summary None



When Bagle.U is executed it checks to see if it was run from %SYSTEM%\Gigabit.exe, and if not copies itself there and creates the following registry key to ensure it is started with Windows: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Gigabit.exe = “%SYSTEM%\gigabit.exe" The worm will also create the following registry keys during execution: HKEY_CURRENT_USER\Software\Windows2004\gsed HKEY_CURRENT_USER\Software\Windows2004\fr1n The new copy of the worm is then executed. If the worm was not executed from %SYSTEM%\Gigabit.exe then the following batch file is created to delete the first instance of Bagle: :l del %1 if exist %1 goto l del %0 a.bat Bagle.U will then search for e-mail addresses in files with the following extension: .wab .txt .msg .htm .shtm .stm .xml .dbx .mbx .mdx .eml .nch .mmf .ods .cfg .asp .php .pl .wsh .adb .tbb .sht .xls .oft .uin .cgi .mht .dhtm .jsp The worm will then mail a copy of itself to all addresses found, with a blank subject line, no body text and a randomly named attachment with a .exe extension. Bagle will not send mail to any addresses containing either @avp. or @Microsoft.

Payload Details

Bagle.U also sets up a listening thread on port 4751, allowing an attacker to upload and execute programs.




This worm was also detected proactively using the Lumension Sandbox Technology as W32/Backdoor.

Last Updated: 12 Nov 2015 11:06:15