W32/Bagle.B917@mm

description-logoAnalysis

  • It drops the following file:
    • C:\sdlflzoip
  • Deletes itself from the current directory.

  • Adds the following registry:
    • key: HKCU\Software\FirtR
    • value: Fir123s3tRun
    • data: 1
  • Gathers email addresses from files in Drive C having the following extensions:
    • adb
    • asp
    • cfg
    • cgi
    • dbx
    • dhtm
    • eml
    • htm
    • jsp
    • mbx
    • mdx
    • mht
    • mmf
    • msg
    • nch
    • ods
    • oft
    • php
    • pl
    • sht
    • shtm
    • stm
    • tbb
    • txt
    • uin
    • wab
    • wsh
    • xls
    • xml
  • Avoids sending emails to addresses that contain any of the following strings:
    • @avp
    • @foo
    • @iana
    • @messagelab
    • abuse
    • admin
    • anyone@
    • bs
    • bugs@
    • cafee
    • certific
    • feste
    • free-av
    • f-secur
    • gold-certs@
    • google
    • help@
    • icrosoft
    • info@
    • kasp
    • linux
    • listserv
    • local
    • news
    • nobody@
    • noone@
    • noreply
    • ntivi
    • ntract
    • panda
    • pgp
    • postmaster
    • rating@
    • root@
    • samples
    • sopho
    • spam
    • support
    • unix
    • update
    • winrar
    • winzip
  • Saves the gathered email addresses to a text file with a random filename. This file is compressed into a zip file named C:\sdlflzoip, then sent to the following web site:
    www.ful{REMOVED}g.nl/images/newout.php

  • recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    Telemetry logoTelemetry