Request Services
  Data Systems Services
  About Data Systems
  News & Announcements
 
Virus Alert
Virus Hoaxes
  Quick Links
  Classroom Reservations
  Equipment Reservations
  Software Downloads
 
Data Systems Only! (Password Protected)
  Live Remote Assistance
 


W32/Bagle.t@MM Worm

03/19/04 - W32/Bagle.t@MM

Outgoing messages matching the described characteristics

Registry keys created as described below:

  • HKEY_CURRENT\_USER\Software\windirects 
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Ru1n "directs.exe" = C:\WINNT\SYSTEM32\directs.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Ru1n "directs.exe" = C:\WINNT\SYSTEM32\directs.exe

Increase in filesize of .EXE files by approx. 26Kb

The worm opens TCP port 2556 on the victim machine

Presence of the following files in the %Sysdir% folder:

  • directs.exe (25,600 bytes)
  • directs.exeopen (25,849 bytes

Please see the description of W32/Bagle.q@MM  for further details.

 

More info on this worm:
http://vil.nai.com/vil/content/v_101108.htm

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_101108.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger

Back to the top