Worm.Bagle.CP
Worm.Bagle.CP is a mass-mailing email worm that causes PC performance degradation and data loss. Worm.Bagle.CP allows attackers remote access to an infected computer system. Worm.Bagle.CP can also download and install other malware infections on an affected PC. Worm.Bagle.CP spreads via email, which carries a randomly named attachment with a .EXE extension. If PC users open an attachment, it will infect their computer system, start the innocuous calc.exe (Calculator) program, and change the registry to remain active upon computer restart. Worm.Bagle.CP examines .htm, .html, .wab and .txt files detected on a compromised PC system to steal email addresses in order to forward itself to other Internet users. Worm.Bagle.CP uses its own SMTP engine to send its email; therefore, copies of the malicious sent email will not occur in the mail client's 'Sent Items' folder. Worm.Bagle.CPalso tries to download and execute the Mitglieder, also known as Lohav Trojan, which functions as a proxy and tries to download more corrupt files from the Web.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:C:\Windows\System32\.exe
File name: C:\Windows\System32\.exeFile type: Executable File
Mime Type: unknown/exe
tiridfhe_unpacked.exe
File name: tiridfhe_unpacked.exeFile type: Executable File
Mime Type: unknown/exe
windll2.exe
File name: windll2.exeFile type: Executable File
Mime Type: unknown/exe
bbeagle.exe
File name: bbeagle.exeFile type: Executable File
Mime Type: unknown/exe
hcmhphpg.exe
File name: hcmhphpg.exeFile type: Executable File
Mime Type: unknown/exe
Registry Modifications
HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Windows98 "frun"HKEY_CURRENT_USER\Software\Windows98 "uid"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows upgrade"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "d3dupdate.exe" = C:\WINNT\System32\bbeagle.exeHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\erthegdr = "%System%\windll2.exe"
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.