W32.Bagle.dl
W32.Bagle.dl is an email worm, which may also spread through Peer 2 Peer programs. W32.Bagle.dl makes changes in "HKCU\Software\Microsoft\Params" which eventually lowers the security settings on the machine. W32.Bagle.dl downloads files from certain web sites.
The infected email carries a spoofed 'From' address picked up randomly from the infected system.
The subject of the infected mail will be any one of the following:
February price
price
The body of the infected mail will be any one of the following:
February price
price
W32.Bagle.dl arrives as an email attachment. The name of the infected attachment may appear as the following:
max.zip
text_sms.zip
Business.zip
Info_Prices.zip
The_new_prices.zip
Business_dealing.zip
Health_and_knowledge.zip
Upon execution of the infected attachment, W32.Bagle.dl copies itself as sysformat.exe in Windows System folder. In addition, W32.Bagle.dl modifies registry to load itself during each startup and tries to terminate some of the security related processes.
File System Modifications
- The following files were created in the system:
# File Name 1 hleader_dll.dll 2 hloader_exe.exe 3 price.exe 4 t_535475.exe 5 winshost.exe 6 wiwshost.exe
Registry Modifications
- The following newly produced Registry Values are:
HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\HKEY..\..\..\..{RegistryKeys}CurrentVersion\Run"auto__hloader__key"=C:\WINNT\SYSTEM32\HLOADER_EXE.EXE
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.