W32/Bagle-KL

Category:	Viruses and Spyware	Protection available since:	20 Jun 2006 00:00:00 (GMT)
Type:	Win32 worm	Last Updated:	20 Jun 2006 00:00:00 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Bagle-KL is an email worm for the Windows platform.

W32/Bagle-KL harvests email addresses from the infected computer and sends itself in an email to one address as if from another address. The emails sent have the following characteristics:

The subject line is one of the following:

Ales
Alice
Alyce
Andrew
Androw
Androwe
Ann
Anna
Anne
Annes
Anthonie
Anthony
Anthonye
Avice
Avis
Bennet
Bennett
Christean
Christian
Constance
Cybil
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edward
Edwarde
Elizabeth
Elizabethe
Ellen
Ellyn
Emanual
Emanuel
Emanuell
Ester
Frances
Francis
Fraunces
Gabriell
Geoffraie
George
Grace
Harry
Harrye
Henrie
Henry
Henrye
Hughe
Humphrey
Humphrie
Isabel
Isabell
James
Jane
Jeames
Jeffrey
Jeffrye
Joane
Johen
John
Josias
Judeth
Judith
Judithe
Katherine
Katheryne
Leonard
Leonarde
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Marie
Martha
Mary
Marye
Michael
Mychaell
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholaus
Nycholas
Peter
Ralph
Rebecka
Richard
Richarde
Robert
Roberte
Roger
Rose
Rycharde
Samuell
Sara
Sidney
Sindony
Stephen
Susan
Susanna
Suzanna
Sybell
Sybyll
Syndony
Thomas
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede

The message body starting one of the following, or a blank line:

To the beloved
I love you

The message body then continues with one of the following:

The password is <image file>
Password -- <image file>
Use password <image file> to open archive.
Password is <image file>
Zip password: <image file>
archive password: <image file>
Password - <image file>
Password: <image file>

The image file displays a 5 digit password. W32/Bagle-KL is an email worm for the Windows platform.

W32/Bagle-KL harvests email addresses from the infected computer and sends itself in an email to one address as if from another address. The emails sent have the following characteristics:

The subject line is one of the following:

The message body starting one of the following, or a blank line:

To the beloved
I love you

The message body then continues with one of the following:

The image file displays a 5 digit password.

Emails sent by W32/Bagle-KL invite the user to open the Zip file using a password.

The main attachment is a file with a ZIP extension and a filename picked from one of the same list as the subject line, though it will not necessarily be the same name as in the subject line. This zip is encrypted with the password given in the image file, and when unzipped will be detected as W32/Bagle-KL.

W32/Bagle-KL copies itself to the file <Application Data>\hidn\hidn.exe and drops the file <Application Data>\hidn\m_hook.sys, also detected as W32/Bagle-KL, which it uses to stealth itself from certain processes.

The first time it is run, W32/Bagle-KL drops the clean file C:\error.gif and opens it. This is an image of the word "Error".

W32/Bagle-KL drops the file C:\temp.zip which contains an encrypted zip of itself.

W32/Bagle-KL attempts to download a file from a number of remote websites to <System>\re_file.exe and then execute it.

W32/Bagle-KL attempts to terminate and disable a number of services related to security and anti-virus applications.

W32/Bagle-KL attempts to delete the following registry entry in order to disrupt booting into Safe Mode:

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot

W32/Bagle-KL creates the following registry entry the first time it is run:

HKCU\Software\FirstRuxzx
FirstRun
1

Try Sophos products for free
Download now

W32/Bagle-KL

Free Mac Anti-Virus

Popular topics