Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation and Autostart Techniques

 

Upon execution, the trojan copies itself into the System32 folder as "wintems.exe".

 

The trojan waits 500 milliseconds and then creates a Mutex "555" to prevent multiple instances of itself from running on one machine.

 

The Trojan adds the following key to the registry to make sure that it runs every time Windows is started:

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

" german.exe " = "%System%\wintems.exe"

 

Bagle.FU also adds the following registry keys:

 

HKCU\Software\Microsoft\DateTime4

"port" = "0x5B7E"

"uid" = "{Random}"

"wdrn" = "0x01"

 

Proxy-Notifying-Component

 

Bagle.FU, using PHP scripts, tries to update its status, including its generated User ID on several web servers. The Trojan downloads information from several web sites and creates an access restriction list from this information. This list includes mask flags similar to wildcards such as "*" for any possible number and constructions of so called IP-ranges.