W32/Bagle-A

Category: Viruses and Spyware Protection available since:18 Jan 2004 00:00:00 (GMT)
Type: Win32 worm Last Updated:23 Jan 2004 00:00:00 (GMT)
Prevalence: Many Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Bagle-A is a worm that sends itself to addresses harvested from files on the hard disk. The worm spoofs the "From" field in emails it sends, which means that it may appear to have come from someone you know.

W32/Bagle-A arrives in an email with the following characteristics:

Subject line: Hi

Message text:
Test =)
[random characters]
--
Test, yep.

Attached file: <random name>.exe

The attached file may appear as a calculator icon. The worm deliberately launches the Calculator application as a disguise.

W32/Bagle-A copies itself to bbeagle.exe in the Windows system folder and sets the following registry entry to ensure the worm is run at logon:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe

The worm also sets the following registry entries:

HKCU\Software\Windows98\uid
HKCU\Software\Windows98\frun

W32/Bagle-A includes a backdoor component which listens on TCP port 6777. This allows an attacker to upload and execute arbitrary programs on infected computers.

Note that W32/Bagle-A will not activate if the system date is 28 January 2004 or later.

download Try Sophos products for free
Download now