high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 22 June 2006 08:41:10 (GMT) |
| Last updated | 7 July 2006 07:36:21 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Bagle-KN is a mass-mailing worm and downloader Trojan for the Windows platform.
Emails sent by the worm have the following characteristics:
The sender's email address is spoofed.
Message text chosen from:
To the beloved
I love you
And appended with any of the following strings:
archive password: <link to imagefile containing password>
The password is <link to imagefile containing password>
Password -- <link to imagefile containing password>
Use password <link to imagefile containing password> to open archive.
Password is <link to imagefile containing password>
Zip password: <link to imagefile containing password>
archive password: <link to imagefile containing password>
Password - <link to imagefile containing password>
Password: <link to imagefile containing password>
The email comes with 2 file attachments:
<random characters>.GIF
<random name>.ZIP
The file <random characters>.GIF contains a GIF image which contains the password to unzip the ZIP file.
The file <random name>.ZIP when unzipped contains 2 files:
<random characters>\<random characters>.dll - this file may be safely deleted
<random characters>.exe - detected as W32/Bagle-KN
W32/Bagle-KN is a mass-mailing worm and downloader Trojan for the Windows platform.
When run W32/Bagle-KN creates the file <User>\Application Data\hidn\m_hook.sys. This file is also detected as W32/Bagle-KN and includes functionality to terminate anti-virus and system-related processes and to hide processes.
The file m_hook.sys is registered as a new system driver service named "m_hook", with a display name of "Empty" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK\
HKLM\SYSTEM\CurrentControlSet\Services\m_hook\
The following registry entry is also set:
HKCU\Software\FirstRuxzx
FirstRun
1
W32/Bagle-KN also creates the file C:\error.gif. This is a GIF file which is also subsequently run and can be safely deleted.
Emails sent by the worm have the following characteristics:
The sender's email address is spoofed.
Message text chosen from:
To the beloved
I love you
And appended with any of the following strings:
archive password: <link to imagefile containing password>
The password is <link to imagefile containing password>
Password -- <link to imagefile containing password>
Use password <link to imagefile containing password> to open archive.
Password is <link to imagefile containing password>
Zip password: <link to imagefile containing password>
archive password: <link to imagefile containing password>
Password - <link to imagefile containing password>
Password: <link to imagefile containing password>
The email comes with 2 file attachments:
<random characters>.GIF
<random name>.ZIP
The file <random characters>.GIF contains a GIF image which contains the password to unzip the ZIP file.
The file <random name>.ZIP when unzipped contains 2 files:
<random characters>\<random characters>.dll - this file may be safely deleted
<random characters>.exe - detected as W32/Bagle-KN
W32/Bagle-KN may also copy itself to <User>\Application Data\hidn\hidn1.exe and sets the following registry entry to run hidn1.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
drv_st_key
<path to worm executable>
|
