Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup
 

Win32/Bagle.B


Win32/Bagle.B is a worm spreading in the form of an e-mail file attachment. It runs on Windows OS 95/98/Me/2000/XP and 2003 server. Its body is compressed using the UPX utility. The file name is random with " exe " extension. When compressed the file size is 11264 bytes. After decompression the file size increases to 53Kb. The sender address is a random e-mail address, which means it is not the address of the actual infected user spreading the worm. The worm comes in a message with the following subject:ID * ... thanks
Where “*” stands for a random string generated by the worm. The body contains the following message:

Yours ID *
--
Thank

Where “*” stands for a random string generated by the worm. The name of the attached file has a random name too.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

The worm copies itself into the Windows system directory as " au.exe ". It registers itself in the registry as follows:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "au.exe" = "%systemdir% \au.exe"

In the key HKEY_CURRENT_USER\SOFTWARE\Windows2000 it creates an entry names gid .

The worm installs a backdoor into the system and them spreads via e-mail. The worm acquires addresses for its spreading from files with the following extensions: wab , txt , htm and  html . It skips the addresses containing the following strings: " @hotmail.com “, " @msn.com “, " @microsoft “ and " @avp “.

The worm is capable of downloading an executable file from the internet and run on the infected computer. It connects to the following web sites.

http://www.47df.de/wbboard/1.php
http://www.strato.de/1.php
http://intern.games-ring.de/1.php
http://www.strato.de/2.php

Win32/Bagle.B is one of a long series of worms that NOD32 detects using a unique “ Advanced Heuristics ”, which means that all NOD32 users are protected against this worm from the time it was released in the wild. The detection of Win32/Bagle.B using sample is added since version 1.626.



PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 
Top of Page Back One Page Print this Page