SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  Bagle.FK_4
Bagle.FK_4 is a Worm. Worms spread from computer to computer, making copies of themselves over the network. They could spread over email, IM, peer-to-peer networks, or directly over the wire by leveraging vulnerabilities. Bagle.FK_4 has a file size of 20,337 bytes. It uses the network connection:
  • Opens URL: http://ijj.t35.com/.
  • Connects to "ijj.t35.com" on port 80 (TCP).
  • Opens URL: ijj.t35.com/.
  • Opens URL: http://noshit.fateback.com/.
  • Connects to "noshit.fateback.com" on port 80 (TCP).
  • Opens URL: noshit.fateback.com/.
  • Opens URL: http://dook.zoo.by/.
  • Connects to "dook.zoo.by" on port 80 (TCP).
  • Opens URL: dook.zoo.by/.
  • Opens URL: http://debut.zoo.com/.
  • Connects to "debut.zoo.com" on port 80 (TCP).
  • Opens URL: debut.zoo.com/.

Bagle.FK_4 drops the following files on the hard drive:

  • C:\WINDOWS\SYSTEM32\windspl.exe (20337 bytes)
  • C:\WINDOWS\regisp32.exe (5632 bytes)
  • C:\WINDOWS\TEMP\winufdb.tmp (4096 bytes)
It also changes Windows registry:
  • Creates value "DsplObjects"="C:\WINDOWS\SYSTEM32\windspl.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
It creates the following mutex to ensure only one instance is running: MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D. DroppedSkyNet. _-oOaxX|- S - k - y - N - e - t -|XxKOo-_. [SkyNet.cz]SystemsMutex. AdmSkynetJklS003. ____--->>>>U<<<<--____. _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_. bagla_super_downloader_1000. smtp_bagla_1000. It also is starting downloaded file - potential security problem, attempts to acquire the "SeDebugPrivilege" privileges, is executed every time Windows starts.


Relevant Information