Worm:Win32/Bagle.ZD@mm is a mass-mailing e-mail worm that attempts to download and run arbitrary files from remote Web sites. Worm:Win32/Bagle.ZD@mm collects e-mail address from the local drive and also obtains e-mail addresses by checking Web site URLs included in the worm's code. The worm attempts to terminate the Windows Automatic Update service and modifies the System Registry in an attempt to disable booting into Safe Mode.
Worm:Win32/Bagle.ZD@mm is a mass-mailing e-mail worm that also attempts to download and run arbitrary files from remote Web sites. When Worm:Win32/Bagle.ZD@mm is executed, it does the following:
Creates folder %appdata%\HIDN
Note: %appdata% specifies the location of the logged in user's Application Data folder.
Drops two files to the newly created folder:
HIDN2.EXE
HLDRRR.EXE
Also creates ERROR.TXT on the root of drive C:\. This text file contains a single line: "Text decoding error." It displays the contents of this file if a system check indicates this is the initial run of the worm.
Worm:Win32/Bagle.ZD@mm modifies the registry so that a copy of the worm loads when Windows is started:
Adds value: "drv_st_key"
With data: %appdata%\hidn\hidn2
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Worm:Win32/Bagle.ZD@mm makes the following registry modification to serve as a marker for previously infected systems:
Adds value: "FirstRun"
With data: "1"
To subkey: HKEY_CURRENT_USER\Software\
The worm tries to terminate the Windows Automatic Update service and also tries to prevent booting into Safe Mode by deleting the following Registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
The email composed by Worm:Win32/Bagle.ZD@mm has the following characteristics:
Subject: (one of the following, combined with the current date)
Latest_price
New_price
price
price-
price_
pric
The attachment has a .ZIP extension and the name matches the subject name. For example, if the subject is "Latest_price18-Dec-2006", the attachment would be named "Latest_price18-Dec-2006.zip".
