|
Added to Dr.Web virus base March 1, 2004, 20:28 hot add-on Aliases: W32/Bagle.h@MM, W32/Bagle-H, I-Worm.Bagle.Gen, WORM_BAGLE.H, Win32.Bagle.H, W32.Beagle.H@mm, W32/Bagle.h!pwdzip Virus type:
File names used by the virus:
Affected platforms: Windows 95/98/ME/NT/2000/XP Infection signs:
- presence of file i11r54n4.exe in the Windows\System folder
- presence of keys in the system registry:
- HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run
"rate.exe"="%SysDir%\i11r54n4.exe"
- HKEY_CURRENT_USER\Software\winexe
Virus description:
Win32.HLLM.Beagle.32256[Beagle.H] is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems.
Being executed, the worm drops its copy i11r54n4.exe to the Windows\System folder
(in Windows 9x/ME it’s C:\Windows\System, in Windows NT/2000 it’s C:\WINNT\System32, in Windows XP it’s
C:\Windows\System32) and points to this copy in the system registry:
HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run
"rate.exe"="%SysDir%\i11r54n4.exe"
thus securing its execution at every Windows reboot. The worm also creates its own key
HKEY_CURRENT_USER\Software\winexe
It also places several more files to the same folder:
i1i5n1j4.exe – a dll with an exe extension, contains a system library downloading procedure
go154o.exe – a dll containing the worm’s mass-mailing procedure
i11r54n4.exeopen – a zip-archive with the randomly named worm’s executable dispatched at its mass distribution
In other details of behaviour it is very similar to
Win32.HLLM.Beagle.36352
|
