high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 19 July 2004 01:06:30 (GMT) |
| Last updated | 19 July 2004 03:46:50 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/Bagle-AG.
More Information
W32/Bagle-AG is a member of the W32/Bagle family of email worms.
W32/Bagle-AG spreads by email. The email addresses are collected from files on the computer containing the following file extensions:
WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, JSP.
W32/Bagle-AG uses its own internal SMTP engine to spread.
The worm sends a HTML based email with the following characteristics:
Sender:
The sender address is always spoofed.
Attachment Name:
The basename of the attachment is choosen from the following list:
Foto3
Foto2
Foto1
Secret
Doll
Garry
Cat
Dog
Fish
W32/Bagle-AG is able to send itself as an encrypted ZIP file (detected as
W32/Bagle-Zip), a CPL file or a normal executable file with the extension EXE,
COM or SCR.
Subject line:
Re:
Message text:
When the worm arrives in an unencrypted (i.e directly executable) file the
message text is one of the following:
foto3
Fotogalary
Fotoinfo
LovelyAnimals
Animals
Predators
TheSnake
Screen
When the worm attaches itself as an encrypted file the password is included in
the email as a bitmap image and one of the following message texts is appended to the email body:
Password: <Image File>
Pass - <Image File>
Key - <Image File>
:)<Image File>
The ZIP file contains an executable with the extensions EXE, COM or SCR and
a benign text file with one of the extensions INI, CFG, TXT, VXD, DEF OR DLL.
The worm the tries to remove registry run entries for several security
and anti-virus related products. The following entries are removed from
HKLM\Software\Microsoft\Windows\CurrentVersion\Run if they exist:
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
W32/Bagle-AG then creates copies of itself in all folders containing the
substring SHAR on all drives. The worm uses the following filenames:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
W32/Bagle-AG is a member of the W32/Bagle family of email worms.
W32/Bagle-AG spreads by email. The email addresses are collected from files on the computer containing the following file extensions:
WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, JSP.
W32/Bagle-AG uses its own internal SMTP engine to spread.
The worm sends a HTML based email with the following characteristics:
Sender:
The sender address is always spoofed.
Attachment Name:
The basename of the attachment is choosen from the following list:
Foto3
Foto2
Foto1
Secret
Doll
Garry
Cat
Dog
Fish
W32/Bagle-AG is able to send itself as an encrypted ZIP file (detected as
W32/Bagle-Zip), a CPL file or a normal executable file with the extension EXE,
COM or SCR.
Subject line:
Re:
Message text:
When the worm arrives in an unencrypted (i.e directly executable) file the
message text is one of the following:
foto3
Fotogalary
Fotoinfo
LovelyAnimals
Animals
Predators
TheSnake
Screen
When the worm attaches itself as an encrypted file the password is included in
the email as a bitmap image and one of the following message texts is appended to the email body:
Password: <Image File>
Pass - <Image File>
Key - <Image File>
:)<Image File>
The ZIP file contains an executable with the extensions EXE, COM or SCR and
a benign text file with one of the extensions INI, CFG, TXT, VXD, DEF OR DLL.
The worm the tries to remove registry run entries for several security
and anti-virus related products. The following entries are removed from
HKLM\Software\Microsoft\Windows\CurrentVersion\Run if they exist:
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
W32/Bagle-AG copies itself to the Windows system folder and creates a registry
entry to run itself on startup under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
W32/Bagle-AG then creates copies of itself in all folders containing the
substring SHAR on all drives. The worm uses the following filenames:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
|
