[Dshield] New Version of I-Worm Bagle.HV

Peter Kruse kruse at krusesecurity.dk
Tue Nov 1 21:22:39 GMT 2005


Hi,

> >Received a new version of the I-Worm/Bagle.HV tonight.

A bit misleading name for this bug, since this is a typical dropper. It's
certainly not a worm. This bug is being seeded.

The malware drops a binary and a DLL to the system folder (%windows
systemfolder%). The code downloads components, from many websites (several
likely to be bogus). Also it kills several security software products and
make changes to registry:

HKLM/Software/Microsoft/Windows/CurrentVersion/Run="auto__hloader__key"
="[windows systemfolder%]\hloader_exe.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run="auto__hloader__key"
="[windows systemfolder%]\hloader_exe.exe

It also registers the DLL as a COM object in Internet Explorer with the
following CLSID: [0002DF01-0000-0000-C000-000000000046].

Regards
Peter Kruse




More information about the list mailing list