PandaLabs has informed about lots of a worm variants, which affects many PCs around the world, and leave them defenceless since one of the functions of Bagle is to deactivate the firewall and antvirus.

Full Name: Worm.W32/Bagle.GX@MM  
Type: E-mail worm.
Plataform: [W32] Portable Executables .EXE, .SCR, .DLL de Windows de 32 bits: 95, 98, Me, NT, 2000, XP y 2003.
Compressed size (bytes): 94126
Alias: WORM_BAGLE.GX by Trend Micro), W32/Bagle.fb!pwdzip by McAfee y W32.Beagle.FG@mm by por Symantec.

In it first execution, it creates the following files in the system:

hidn.exe (copy of itself)

m_hook.sys (rootkit component)

error.gif (element without importance)

temp.zip (copy of itself)

It generates a key in the register to restart its operations together with Windows:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]"drv_st_key" = "%UserProfile%\Application Data\hidn\hidn.exe"

Other entries are generated to support its operations:

[HKEY_CURRENT_USER\Software\FirstRuxzx]"FirstRun" = "1"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\m_hook]

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_M_HOOK]

It diminishes the stability to the start system through the elimination of the following register:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot]

Note: %UserProfile% equals to C:\Documents and Settings\[user's name] for Windows 2000/XP/NT.

It avoids be resent to e-mail addresses with the following strings:

rating@
f-secur
news
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
sopho
winzip
abuse
panda
cafee
spam
pgp

Through the TCP25 port, the Bagle.GX will try to establish connection with SMTP servers to send messages, for example:

smtp.google.com

Read more...