W32/Bagle-QT is an email worm for the Windows platform.
W32/Bagle-QT emails itself in an encrypted zip file to addresses found on the users computer.
Emails sent by the worm have the following characteristics:
Subject line chosen from:
new <date>
price<date>
price_ <date>
price_new <date>
Message text chosen from:
It Is Protected
Passwrd:
thank you !!!
Passwrd:
New year's discounts
Passwrd:
The attached file is named:
new_price<date>.zip
price_list<date>.zip
latest_price<date>.zip
<date> is the date the email was sent in the following format 01-Dec-2006.
W32/Bagle-QT is an email worm for the Windows platform.
W32/Bagle-QT emails itself in an encrypted zip file to addresses found on the user's computer.
Emails sent by the worm have the following characteristics:
Subject line chosen from:
new <date>
price<date>
price_ <date>
price_new <date>
Message text chosen from:
It Is Protected
Passwrd:
thank you !!!
Passwrd:
New year's discounts
Passwrd:
The attached file is named:
new_price<date>.zip
price_list<date>.zip
latest_price<date>.zip
<date> is the date the email was sent in the following format 01-Dec-2006.
The zip file is detected as W32/Bagle-Zip.
The zip file is password protected with a 6 digit password which is embedded in the email as an image. The image file displays a 5 digit password.
W32/Bagle-QT copies itself to the hidden file <Application Data>\hidn\hidn.exe and drops the hidden file <Application Data>\hidn\m_hook.sys, also detected as W32/Bagle-QT, which it uses to stealth itself from certain processes including AV applications.
The file <Application Data>\hidn\m_hook.sys is registered as a new system driver service named "m_hook". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook\
W32/Bagle-QT attempts to terminate and disable a number of services related to security and anti-virus applications.
The first time it is run, W32/Bagle-QT drops the clean file C:\error.gif and opens it. This is an image of the word "Error".
W32/Bagle-QT drops the file C:\temp.zip which contains an encrypted zip of itself.
W32/Bagle-QT attempts to download a file from a number of remote websites to <System>\re_file.exe and then execute it.
W32/Bagle-QT attempts to delete the following registry entry in order to disrupt booting into Safe Mode:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
W32/Bagle-QT creates the following registry entry the first time it is run:
HKCU\Software\FirstRu<xx>n
FirstRun
1
where <xx> will vary.