Selected viruses, spyware, and other threats: sorted alphabetically
Installation and Autostart Techniques
Upon execution, the trojan copies itself into the System32 folder as "wintems.exe".
The trojan waits 500 milliseconds and then creates a Mutex "555" to prevent multiple instances of itself from running on one machine.
The Trojan adds the following key to the registry to make sure that it runs every time Windows is started:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
" german.exe " = "%System%\wintems.exe"
Bagle.FU also adds the following registry keys:
HKCU\Software\Microsoft\DateTime4
"port" = "0x5B7E"
"uid" = "{Random}"
"wdrn" = "0x01"
Proxy-Notifying-Component
Bagle.FU, using PHP scripts, tries to update its status, including its generated User ID on several web servers. The Trojan downloads information from several web sites and creates an access restriction list from this information. This list includes mask flags similar to wildcards such as "*" for any possible number and constructions of so called IP-ranges.
