|
Description:
To get a one-glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.
This Trojan arrives as an attachment to email messages sent by WORM_BAGLE variants. It uses file names related to taxes as a timely social engineering technique. This Trojan was released a few days before the United States deadline for filing taxes.
Upon execution, it opens the application NOTEPAD.EXE. It drops a copy of itself as WINSHOST.EXE in the Windows system folder.
It also drops its Dynamic Link Library (DLL) component, which is the main program of this Trojan and which contains its major malicious routines, in the Windows system folder. It injects the said DLL component into the EXPLORER.EXE process.
It modifies several registry entries to perform the following routines:
- Disable the Windows XP SP2 Firewall at system startup
- Disable automatic updates
- Disable administrative alerts on Windows NT
- Disable certain antivirus applications
This Trojan also modifies the system's HOSTS file, which contains host name to IP address mappings.
It attempts to download files from certain Web sites, which are inaccessible as of this writing.
It also disables services, renames several files, and tries to terminate processes, most of which are related to antivirus and security applications.
For additional information about this threat, see:
Solution
Technical Details
Description created: Aug. 11, 2005 6:02:56 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
