Alias:W32.Beagle.U@mm, I-Worm.Bagle, WORM_BAGLE.U
Type:Worm 
Size: 8.208 Bytes 
Origin:unknown 
Date:03-26-2004 
Damage:Sends itself by email 
VDF Version:6.23.00.71 
Danger:Low 
Distribution:Medium 

General DescriptionThe 8,208 bytes worm copies itself as GIGABIT.EXE in the Windows System. The emails sent by Worm/Bagle.U have no text in Subject and Body area.

Symptoms* the “Hearts” game is launched.

Distribution* Sends itself by email.

Technical DetailsWorm/Bagle.U sends itself by email. Such an email presents the following characteristics:

Subject:

Body:

Attachment:
<%random file name%>.exe

When the attachment is open, it copies itself in the Windows System as GIGABIT.EXE and launches the game “Hearts”, which is used as camouflage.

It will add the following registry entry, and by the next system-start it will be run automatically:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run]
"gigabit.exe"="C:\\WINDOWS\\SYSTEM\\gigabit.exe"

The worm sends itself to email addresses found in files having the following extensions, using it's own SMTP engine:

*.wab
*.txt
*.msg
*.htm
*.shtm
*.stm
*.xml
*.dbx
*.mbx
*.mdx
*.eml
*.nch
*.mmf
*.ods
*.cfg
*.asp
*.php
*.pl
*.wsh
*.adb
*.tbb
*.sht
*.xls
*.oft
*.uin
*.cgi
*.mht
*.dhtm
*.jsp

Worm.Bagle.U tries to download data from the following web site: http://www.we**e.de/5.php

This worm contains also a backdoor function. It will listen on the TCP port 4751 for further instructions.


Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* C:\%WinDIR%\System32\GIGABIT.EXE

Start "regedit" after that and delete the following registry entries:

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run]
"gigabit.exe"="C:\\WINDOWS\\SYSTEM\\gigabit.exe"

Restart your computer.

- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* C:\%WinDIR%\System\GIGABIT.EXE

Start "regedit" after that and delete the following registry entries:

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run]
"gigabit.exe"="C:\\WINDOWS\\SYSTEM\\gigabit.exe"

Restart your computer
Описание добавил Crony Walker в(о) вторник, 15 июня 2004 г.

Назад . . . .
 
 
 
 

© 2012 Avira Operations GmbH & Co. KG. Все права защищены.