W32/Bagle-AD is a member of the W32/Bagle family of email worms.
When run the worm displays a fake message box with the title "Error!"
and the message
"Can't find a viewer associated with the file"
The worm then tries to remove registry run entries for several security
and anti-virus related products.
The following entries are removed from
HKLM\Software\Microsoft\Windows\CurrentVersion\Run if they exist:
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
The worm checks the current date and terminates if the date is after the 6th
of July 2004.
W32/Bagle-AD then creates copies of itself in all folders containing
the substring SHAR on all drives.
The worm uses the following filesnames:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
W32/Bagle-AD spreads by email. The email addresses are collected from files
on the system containing the following file extensions:
WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG,
ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, JSP.
W32/Bagle-AD uses its own internal SMTP engine to spread.
The sender address is always spoofed.
The worm arrives as an attachment to an HTML email message.
The basename of the attachment is choosen from the following list:
Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message
W32/Bagle-AD is able to send itself as an encrypted ZIP file, an HTA file,
a VBS file, a CPL file or a normal executable file with the extension
EXE, COM or SCR.
The email message has the following characteristics
Subject line:
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
Message text:
Read the attach.<br><br>
Your file is attached.<br><br>
More info is in attach<br><br>
See attach.<br><br>
Please, have a look at the attached file.<br>
Your document is attached.<br><br>
Please, read the document.<br><br>
Attach tells everything.<br><br>
Attached file tells everything.<br><br>
Check attached file for details.<br><br>
Check attached file.<br><br>
Pay attention at the attach.<br><br>
See the attached file for details.<br><br>
Message is in attach<br><br>
Here is the file.<br><br>
In the case of the encrypted ZIP file the password is included in the
email as a bitmap image file and the message text is one of the following:
<br>For security reasons attached file is password protected.
The password is <img src="cid:<imagefile>"><br>
<br>For security purposes the attached file is password protected.
Password -- <img src="cid:<imagefile>"><br>
<br>Attached file is protected with the password for security reasons.
Password is <img src="cid:<imagefile>"><br>
<br>In order to read the attach you have to use the following
password: <img src="cid:<imagefile>"><br>
<br>Note: Use password <img src="cid:<imagefile>"> to open archive.<br>
<br>Archive password: <img src="cid:<imagefile>"><br>
<br>Password - <img src="cid:<imagefile>"><br>
<br>Password: <img src="cid:<imagefile>"><br>.
The ZIP file contains an executable with the extensions EXE, COM or SCR and
a benign text file with the extensions INI, CFG, TXT, VXD, DEF or DLL.