high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 6 October 2005 17:37:07 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/Bagle-AN
More Information
W32/Bagle-AN is a worm for the Windows platform.
W32/Bagle-AN spreads via file sharing on Peer-to-peer networks and via email.
W32/Bagle-AN includes functionality to download, install and run new software.
W32/Bagle-AN then creates copies of itself in all folders containing the substring SHAR on all drives.
W32/Bagle-AN also spreads by email. The email addresses are collected from files
on the system containing the following file extensions:
WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG,
ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, JSP.
The worm arrives as an attachment to an HTML email message.
The basename of the attachment is choosen from the following list:
Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message
The email message has the following characteristics:
Subject line:
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
Message text:
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
W32/Bagle-AN is a worm for the Windows platform.
W32/Bagle-AN spreads via file sharing on Peer-to-peer networks and via email.
W32/Bagle-AN includes functionality to download, install and run new software.
When first run, W32/Bagle-AN copies itself to <System>\winhost.exe and creates
the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winhost.exe
<System>\winhost.exe
W32/Bagle-AN then creates copies of itself in all folders containing the substring SHAR on all drives.
The worm uses the following filesnames:
"Microsoft Office 2003 Crack, Working!.exe"
"Microsoft Windows XP, WinXP Crack, working Keygen.exe"
"Norton Antivirus, working Keygen.exe"
"Microsoft Office XP working Crack, Keygen.exe"
"Porno, sex, oral, anal cool, awesome!!.exe"
"Porno Screensaver.scr"
"Serials.txt.exe"
"Kaspersky Antivirus 5.0"
"Porno pics arhive, xxx.exe"
"Windows Sourcecode update.doc.exe"
"Ahead Nero 7.exe"
"Windown Longhorn Beta Leak.exe"
"Opera 8 New!.exe"
"XXX hardcore images.exe"
"WinAmp 6 New!.exe"
"WinAmp 5 Pro Keygen Crack Update.exe"
"Adobe Photoshop 9 full.exe"
"Matrix 3 Revolution English Subtitles.exe"
"Doom3_nocd.exe"
"HalfLife2_noCD.exe"
"12 year old Katia sucks and fucks me in lots of positions. (teen preteen
anal
cumshot sex young whore school lolita.avi .exe"
W32/Bagle-AN spreads by email. The email addresses are collected from files on the system containing the following file extensions:
WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG,
ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, JSP.
The worm arrives as an attachment to an HTML email message.
The basename of the attachment is choosen from the following list:
Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message
The email message has the following characteristics:
Subject line:
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
Message text:
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
W32/Bagle-AN also attempts to terminate security related processes on an infected computer.
Registry entries are created under:
HKCU\Software\Timeout\
|
