Bagle.U worm

Bagle.U wormW32/Bagle.U@MM, I-Worm.Bagle.U, W32.Beagle.U@mm, WORM_BAGLE.UMass-mailing email worm that opens TCP port 4751 on infected systems and sends HTTP notice to the worm's author.March 26, 2004Bagle.U arrives with no subject line and no message body from a spoofed sender. The blank email message carries a randomly named .exe attachment. Email addresses are harvested from infected users' systems and used in both the From and To fields. Bagle.U sends the email using its own SMTP engine.When the attachment is opened, if the Microsoft Hearts game is installed on the user's PC, Bagle.U will first launch MSHEARTS.EXE.Bagle.U drops a copy of itself to the Windows System directory as gigabit.exe and modifies the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

adding the vaule:

"gigabit.exe" = %sysdir%\gigabit.exe

where %sysdir% represents the path to the user's Windows System directory.

Bagle.U also adds the following registry key and values:

HKEY_CURRENT_USER\Software\Windows2004 "fr1n"

HKEY_CURRENT_USER\Software\Windows2004 "gsed"Bagle.U opens TCP port 4751 and sends notice (port number and ID) to the worm's author via HTTP.

Use the Windows Task Manager to shutdown the gigabit process. Delete the registry modifications made. Delete gigabit.exe.