W32/Bagle.MM Trojan

 Virus Information - W32/Bagle.MM Trojan:

W32/Bagle.MM is a trojan. The trojan will infect Windows systems.

This trojan is either downloaded from the Internet or dropped by other malware applications.

Upon execution, the trojan copies itself as wintems.exe in the Windows System folder.

The trojan modifies registry at the following location to load itself during each startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

It also creates the following registry key as a part of its installation routine.

HKEY_CURRENT_USER\Software\DateTime4

The trojan attempts to connect to the following remote webistes to download some files (possible malicious files):

http://www.(Blocked)blawfirm.com/images/blst.php
http://(Blocked)istrade.ru/prog/img/proizvod/blst.php
http://www.(Blocked)kor.ru/images/blst.php
http://(Blocked)r-vesov.ru/p/lang/CVS/blst.php
http://(Blocked)nomah-city.ru/vakans/blst.php
http://(Blocked)rvice6.valuehost.ru/images/blst.php
http://(Blocked)iipo.ru/images/_notes/blst.php
http://(Blocked)ehrechie.ru/images/blst.php
http://(Blocked)r-spb.ru/fp/mikrobus/gazel/blst.php
http://(Blocked)rnstylesticketing.com/images/blst.php
http://(Blocked)ilightzone.cz/distro/blst.php
http://(Blocked)erozetki.ru/images/blst.php
http://www.(Blocked)ertelligence.com/playitsafe/images/blst.php
http://www.(Blocked)lteh.ru/images/ludi/blst.php
http://www.(Blocked)antssoft.com/images/icon/jpg/blog/blst.php
http://(Blocked)cps.ru/images/blst.php

It saves the lists in ban_list.txt file created in Windows System folder. It also gathering IP address of infected system.