 |
|
|
  Select country Select product
|
| W32/Bagle.Q@mm |
Destructivity:  |
Spreading:  |
Overall risk: |
| • |
Detected by virus detection files published: 18. Mar 2004 |
| • |
Virus characteristics first published: 18 Mar. 2004 |
| • |
Virus characteristics latest update: 07 May. 2004 |
|
| • |
Type: Virus, Worm |
| • |
Spreading mechanism: Email, File Infection, Other |
| • |
Overall risk: Medium |
| • |
Payload: Terminates certain processes |
|
 |
The following is a portion of the instant analysis done by the Norman Sandbox Technology: [ General information ]
* Attemps to open C:\WINDOWS\SYSTEM\directs.exe NULL.
* Creating several executable files on hard-drive.
* File length: 25600 bytes.
* Total emulation cycles required: 4547276. [ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\directs.exe. [ Changes to registry ]
* Deletes value "My AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "My AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Zone Labs Client Ex" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Zone Labs Client Ex" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "9XHtProtect" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "9XHtProtect" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Antivirus" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Antivirus" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Special Firewall Service" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Special Firewall Service" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "service" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "service" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Tiny AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "Tiny AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "ICQNet" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "ICQNet" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "HtProtect" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "HtProtect" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "NetDy" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "NetDy" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "ICQ Net" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "ICQ Net" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "directs.exe"="C:\WINDOWS\SYSTEM\directs.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". [ Network services ]
* Connect port 81 [DGRAM], IP 0.0.0.0.
* Connect port 2556 [DGRAM], IP 0.0.0.0. [ Security issues ]
* Possible backdoor functionality [UNKNOWN] port 81.
* Possible backdoor functionality [UNKNOWN] port 2556. Write-up by Trygve Brox
|
 |
|
Latest virus definition file published
Security News and Advisories
|
|
Norman is one of the world’s leading companies within the field of data security. With products for antivirus (virus control), personal firewall, antispam, and encryption, the company plays an important role in the data industry.
|
Medium risk
Low risk