Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:Win32.Bagle.10.Gen@mm (BitDefender)
Type:Worm 
Size:29,700 bytes (PE packed) 
Origin: 
Date:03-01-2005 
Damage: 
VDF Version:6.29.00.156 
Danger:Low 
Distribution:Medium 

General DescriptionAffected Platforms:
* Windows 98
* Windows NT
* Windows ME
* Windows 2000
* Windows XP
Windows 2003 Server

DistributionThis worm spreads via the emails that it sends, once it's executed. First it checks to see if it's able to send emails by making a connection to smtp.earthlink.net on port 25.
This worm doesn't generate emails itself, or search the drive for ones, but instead it make the following HTTP request "http://oceancarrers.com/z/sss2.php" to get its email addresses, and stores the result in file <%windir%>\eml.exe.
The emails sended by this worm don't have subject and the body could be a string of
- price
- new price.
The attachements that comes with this emails are .zip files with one of the following(or similar) names:

- 08_price
- new__price
- new_price
- newprice
- price
- price2
- price_08
- price_new

The file inside of those zip files is "doc_01.exe" (described in TR/Dldr.Bagle).

Technical DetailsOnce the worm its executed it first creates of copy of itself in "<%sysdir%>\windlhhl.exe". After that it creates a registry entry in the hope that the worm will get executed every time the system starts:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n]
"erghgjhgdr"="C:\WINDOWS\System32\windlhhl.exe
Moreover it delets the following registry entries, to try to deactivate some antivirus programs for starting next time the system restarts:

[HKEY_LOCLA_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n]
"My AV"=-
"Zone Labs Client Ex"=-
"9XHtProtect"=-
"Antivirus"=-
"Special Firewall Service"=-
"service"=-
"Tiny AV"=-
"ICQNet"=-
"HtProtect"=-
"NetDy"=-
"Jammer2nd"=-
"FirewallSvr"=-
"MsInfo"=-
"SysMonXP"=-
"EasyAV"=-
"PandaAVEngine"=-
"Norton Antivirus AV"=-
"KasperskyAVEng"=-
"SkynetsRevenge"=-
"ICQ Net"=-

[HKEY_CURENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n]
"My AV""=-
"Zone Labs Client Ex"=-
"9XHtProtect"=-
"Antivirus"=-
"Special Firewall Service"=-
"service"=-
"Tiny AV"=-
"ICQNet"=-
"HtProtect"=-
"NetDy"=-
"Jammer2nd"=-
"FirewallSvr"=-
"MsInfo"=-
"SysMonXP"=-
"EasyAV"=-
"PandaAVEngine"=-
"Norton Antivirus AV"=-
"KasperskyAVEng"=-
"SkynetsRevenge"=-
"ICQ Net"=-

Anyway it sems here is a programing mistake, any modification to those registry keys doesn't have any major effect!
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .