PPRuNe Forums - View Single Post - srosa worm
Thread: srosa worm
View Single Post
Old 25th Oct 2009, 13:03
  #16 (permalink)  
green granite
More bang for your buck
 
Join Date: Nov 2005
Location: land of the clanger
Age: 82
Posts: 3,512
Likes: 0
Received 0 Likes on 0 Posts
possibly a bit more info for you: Description


When I-Worm.Bagle.gt is executed, it performs the following activities:
It drops following files in Application data folder,
"%User Profile%\Application Data%"\hldrrr.exe
"%User Profile%\Application Data%"\hidn2.exe

Upon execution, it creates a text file named ERROR.TXT in the root folder (usually C). The said file contains the following string:

Text decoding error.

For autoexecution it create the below registry entry

drv_st_key = "%User Profile%\Application Data\hidn\hidn2.exe"
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Other System Modifications:

This worm creates the following registry key and entry as part of its
installation routine:

HKCU\Software\FirstRun
FirstRun = "1"

In addition, it deletes the following registry key to prevent the
system from restarting in safe mode:

HKLM\SYSTEM\CurrentControlSet\
Control\SafeBoot

also:
HKEY_CURRENT_USER\Software\Microsoft\Windows\currentversion\ run\

* mule_st_key = cdocuments and settings\administrator\application data
\m\flec006.exe


Not certain if you've seen this: Removal Win32.Worm.Bagle - Malware City Blogs
green granite is offline  
Reply