W32/Bagle.AE@mm

Threat risk

Threat risk low


Detection files published: 16 July 2004	Description created: 2004-07-16	Description updated: 2004-07-16

Malware type: Worm	Alias: Bagle.AF	Spreading mechanism Email, Other

Payload:

Summary
Spreading description
Removal

Summary

This is an email worm in the Bagle series. File size is variable.

Spreading description

[ General information ]
    * Attemps to open C:\WINDOWS\SYSTEM\sysxp.exe NULL.
    * File length:        21718 bytes.
    * Total emulation cycles required:      4167255.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\sysxp.exe.
* Creates file C:\MYDOCU~1\MYSHAR~1\Microsoft Office 2003 Crack, Working!.exe.

[ Changes to registry ]
    * Deletes value "My AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "My AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Zone Labs Client Ex" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Zone Labs Client Ex" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "9XHtProtect" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "9XHtProtect" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Antivirus" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Antivirus" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Special Firewall Service" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Special Firewall Service" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "service" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "service" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Tiny AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Tiny AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "ICQNet" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "ICQNet" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "HtProtect" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "HtProtect" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "NetDy" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "NetDy" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Jammer2nd" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Jammer2nd" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "FirewallSvr" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "FirewallSvr" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "MsInfo" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "MsInfo" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "SysMonXP" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "SysMonXP" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "EasyAV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "EasyAV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "PandaAVEngine" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "PandaAVEngine" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Norton Antivirus AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "Norton Antivirus AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "KasperskyAVEng" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "KasperskyAVEng" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "SkynetsRevenge" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "SkynetsRevenge" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "ICQ Net" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Deletes value "ICQ Net" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Creates value "key"="C:\WINDOWS\SYSTEM\sysxp.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".

[ Spreading through P2P networks ]
* P2P worm; drops files in P2P upload/download directory.

[ Process/window information ]
    * Creates a mutex MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D.
    * Creates a mutex 'D'r'o'p'p'e'd'S'k'y'N'e't'.
    * Creates a mutex _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_.
    * Creates a mutex [SkyNet.cz]SystemsMutex.
    * Creates a mutex AdmSkynetJklS003.
    * Creates a mutex ____--->>>>U<<<<--____.
    * Creates a mutex _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_.

Removal

The worm was detected proactively by the Norman Sandbox Technology.

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Utilisation	Titre	Commentaire
	Stopper la propagation des virus sur les partages réseau
	Cleaning of back-up folders on Windows Me and XP

Imprimer la page