Win32/Bagle [Threat Name] go to Threat

Win32/Bagle.HE [Threat Variant Name]

Category worm
Size 40565 B
Aliases Email-Worm.Win32.Bagle.gt (Kaspersky)
  W32/Bagle.gen (McAfee)
  Trojan.Tooso!gen (Symantec)
Short description

Win32/Bagle.HE is a worm that spreads via e-mail.

Installation

When executed the worm copies itself in the following locations:

  • Documents and Settings\­All Users\­Application Data\­hidn\­hldrrr.exe
  • Documents and Settings\­All Users\­Application Data\­hidn\­hidn2.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­drv_st_key

The entry contains path to the executable of the worm .


The following Registry entry is deleted:

  • HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot

The following text is displayed in Notepad :

  • Text decoding error.
Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • adb
  • asp
  • cfg
  • cgi
  • dbx
  • dhtm
  • eml
  • htm
  • jsp
  • mbx
  • mdx
  • mht
  • msg
  • nch
  • nmf
  • ods
  • oft
  • php
  • pl
  • sht
  • shtm
  • stm
  • tbb
  • txt
  • uin
  • wab
  • wsh
  • xls
  • xml

Addresses containing the following strings are avoided:

  • ..
  • .@
  • @.
  • @avp.
  • @foo
  • @iana
  • abuse
  • admin
  • anyone@
  • bsd
  • bugs@
  • cafee
  • certific
  • contract@
  • f-secur
  • feste
  • free-av
  • gold-certs@
  • google
  • help@
  • icrosoft
  • info@
  • kasp
  • linux
  • listserv
  • local
  • news
  • nobody@
  • noone@
  • noreply
  • ntivi
  • panda
  • pgp
  • postmaster@
  • rating@
  • root@
  • samples
  • sopho
  • spam
  • support
  • unix
  • update
  • winrar
  • winzip

The worm can fetch some addresses from the Internet or generate random ones.


Subject of the message is one of the following:

  • pric
  • price
  • price_
  • price-

The attachment is a ZIP archive, containing an executable of the worm.


Name of the attachment is one of the following:

  • latest_price
  • new_price
  • price

Name of the executable inside is random.

Other information

The worm contains a list of 60 URLs.


It tries to download several files from the addresses. The files are then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.