W32/Bagle-KJ is an email worm for the Windows platform.
W32/Bagle-KJ searches an infected computer for email addresses to send itself
to. Emails have the following characteristsics:
Subject line: <Random name of a person>
Message text chosen from:
To the beloved
I love you
Attachment filename: <Random name of a person>
W32/Bagle-KJ is an email worm for the Windows platform.
W32/Bagle-KJ searches an infected computer for email addresses to send itself
to. Emails have the following characteristsics:
Subject line: <Random name of a person>
Message text chosen from:
To the beloved
I love you
Attachment filename: <Random name of a person>
When first run, W32/Bagle-KJ copies itself to the following location:
<Current user>\Application Data\hidn\hidn2.exe
and drops a file named m_hook.sys to the same location.
The following registry entry is created in order to automatically start
W32/Bagle-KJ when an infected computer starts:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
drv_st_key
<Path to worm>
The file m_hook.sys is a device driver used to hide the worm on an infected
computer, and also attempt to terminate any security programs running on the
system. It is also detected as W32/Bagle-KJ.
m_hook.sys is registered as a service, creating entries under:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
W32/Bagle-KJ deletes the following registry entries, affecting the safe-mode
boot configurations:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network