Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Bagle.AF@mm

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload
Detection files published
Description created 17 Jul 2004 03:21:00
Description updated 17 Jul 2004 03:21:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Bagle.AF@mm

Spreading

[ General information ]
* Attemps to open C:\WINDOWS\cjector.exe NULL.
* Creating several executable files on hard-drive.
* Attemps to open C:\WINDOWS\SYSTEM\sys_xp.exe NULL.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\cjector.exe.
* Creates file C:\WINDOWS\SYSTEM\sys_xp.exe.
* Creates file C:\MYDOCU~1\MYSHAR~1\Microsoft Office 2003 Crack, Working!.exe.
[ Changes to registry ]
* Deletes value "My AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "My AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Zone Labs Client Ex" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Zone Labs Client Ex" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "9XHtProtect" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "9XHtProtect" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Antivirus" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Antivirus" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Special Firewall Service" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Special Firewall Service" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "service" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "service" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Tiny AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Tiny AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "ICQNet" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "ICQNet" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "HtProtect" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "HtProtect" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "NetDy" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "NetDy" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Jammer2nd" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Jammer2nd" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "FirewallSvr" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "FirewallSvr" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "MsInfo" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "MsInfo" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "SysMonXP" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "SysMonXP" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "EasyAV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "EasyAV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "PandaAVEngine" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "PandaAVEngine" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Norton Antivirus AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Norton Antivirus AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "KasperskyAVEng" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "KasperskyAVEng" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "SkynetsRevenge" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "SkynetsRevenge" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "ICQ Net" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "ICQ Net" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "key"="C:\WINDOWS\SYSTEM\sys_xp.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
[ Spreading through P2P networks ]
* P2P worm; drops files in P2P upload/download directory.
[ Process/window information ]
* Creates a mutex MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D.
* Creates a mutex 'D'r'o'p'p'e'd'S'k'y'N'e't'.
* Creates a mutex _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_.
* Creates a mutex [SkyNet.cz]SystemsMutex.
* Creates a mutex AdmSkynetJklS003.
* Creates a mutex ____--->>>>U<<<<--____.
* Creates a mutex _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_.

Payload Details

n/a

Analysis

n/a

Removal

The worm was detected proactively by Lumension Sandbox as W32/P2PWorm.


Last Updated: 12 Nov 2015 11:06:14