possibly a bit more info for you: Description
When I-Worm.Bagle.gt is executed, it performs the following activities:
It drops following files in Application data folder,
"%User Profile%\Application Data%"\hldrrr.exe
"%User Profile%\Application Data%"\hidn2.exe
Upon execution, it creates a text file named ERROR.TXT in the root folder (usually C
). The said file contains the following string:
Text decoding error.
For autoexecution it create the below registry entry
drv_st_key = "%User Profile%\Application Data\hidn\hidn2.exe"
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Other System Modifications:
This worm creates the following registry key and entry as part of its
installation routine:
HKCU\Software\FirstRun
FirstRun = "1"
In addition, it deletes the following registry key to prevent the
system from restarting in safe mode:
HKLM\SYSTEM\CurrentControlSet\
Control\SafeBoot
also:
HKEY_CURRENT_USER\Software\Microsoft\Windows\currentversion\ run\
* mule_st_key = c
documents and settings\administrator\application data
\m\flec006.exe
Not certain if you've seen this:
Removal Win32.Worm.Bagle - Malware City Blogs