- SandBox Information Center
- Malware Analysis Search
- Articoli sulla sicurezza
- Blog sulla sicurezza [EN]
- Livello di pericolosità [EN]
- Minacce attuali di virus
- Tipi di malware [EN]
- Descrizione dei virus [EN]
- Statistiche sulla posta elettronica [EN]
- Testi, white paper generici ed altro
- La tecnologia Norman
W32/Bagle.AE@mm
Threat risk
|
Detection files published:
16 July 2004 |
Description created:
2004-07-16 |
Description updated:
2004-07-16 |
|
Alias:
Bagle.AF |
Spreading mechanism
Email, Other | |
|
Payload:
| ||
Summary
This is an email worm in the Bagle series. File size is variable.Spreading description
[ General information ]
* Attemps to open C:\WINDOWS\SYSTEM\sysxp.exe NULL.
* File length: 21718 bytes.
* Total emulation cycles required: 4167255.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\sysxp.exe.
* Creates file C:\MYDOCU~1\MYSHAR~1\Microsoft Office 2003 Crack, Working!.exe.
[ Changes to registry ]
* Deletes value "My AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "My AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Zone Labs Client Ex" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Zone Labs Client Ex" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "9XHtProtect" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "9XHtProtect" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Antivirus" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Antivirus" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Special Firewall Service" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Special Firewall Service" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "service" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "service" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Tiny AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Tiny AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "ICQNet" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "ICQNet" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "HtProtect" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "HtProtect" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "NetDy" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "NetDy" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Jammer2nd" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Jammer2nd" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "FirewallSvr" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "FirewallSvr" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "MsInfo" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "MsInfo" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "SysMonXP" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "SysMonXP" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "EasyAV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "EasyAV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "PandaAVEngine" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "PandaAVEngine" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Norton Antivirus AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Norton Antivirus AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "KasperskyAVEng" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "KasperskyAVEng" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "SkynetsRevenge" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "SkynetsRevenge" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "ICQ Net" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "ICQ Net" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "key"="C:\WINDOWS\SYSTEM\sysxp.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
[ Spreading through P2P networks ]
* P2P worm; drops files in P2P upload/download directory.
[ Process/window information ]
* Creates a mutex MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D.
* Creates a mutex 'D'r'o'p'p'e'd'S'k'y'N'e't'.
* Creates a mutex _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_.
* Creates a mutex [SkyNet.cz]SystemsMutex.
* Creates a mutex AdmSkynetJklS003.
* Creates a mutex ____--->>>>U<<<<--____.
* Creates a mutex _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_.
Removal
The worm was detected proactively by the Norman Sandbox Technology.
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Utilizzo | Titolo | Commento |
|---|---|---|
| Blocco dei virus che infettano le condivisioni di rete | ||
| Cleaning of back-up folders on Windows Me and XP |