|
|
|
Top 10 malware reported to Sophos in August 1999
This section is for technical experts who want to know more.
W32/Bagle-QW is a worm for the Windows platform.
W32/Bagle-QW spreads via email within a ZIP file.
W32/Bagle-QW includes functionality to access the internet and communicate
with a remote server via HTTP.
When first run W32/Bagle-QW copies itself to:
<User>\Application Data\hidn\hidn2.exe
<User>\Application Data\hidn\hldrrr.exe
and creates the following files:
\error.txt - harmless file
\temp.zip - also detected as W32/Bagle-QW
The following registry entry is created to run hidn2.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
drv_st_key
<User>\Application Data\hidn\hidn2.exe
W32/Bagle-QW sets the following registry entries, disabling the automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
Registry entries are created under:
HKCU\Software\FirstRun
Emails sent by the worm have the following characteristics:
Subject line chosen from:
new <date>
price<date>
price_ <date>
price_new <date>
The message text may be empty.
The attached file is named:
new_price<date>.zip
price_list<date>.zip
latest_price<date>.zip
<date> is the date the email was sent in the following format 12-Dec-2006.
|
|
|
This webpage is optimized for 800 x 600 monitor resolution or above and
the latest web browser. |
|
|
