high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 7 November 2005 04:01:32 (GMT) |
| Last updated | 22 December 2005 19:10:39 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Bagle-AR is a mass-mailing worm for the Windows platform.
W32/Bagle-AR sends a ZIP file as an email attachment. The ZIP file contains an executable detected as either Troj/BagleDl-W, Troj/BagleDl-Y or Troj/BagleDl-Z.
Once installed, this executable attempts to download further files, which may include copies of the original worm W32/Bagle-AR.
Emails sent by W32/Bagle-AR have the following characteristics:
Subject line: <Blank>
Message text chosen from:
info
texte
The password is <image>
Password: <image>
The attachment filename chosen from:
text_sms.zip
sms_text.zip
The_new_prices.zip
Info_prices.zip
Business_dealing.zip
Business.zip
Health_and_knowledge.zip
W32/Bagle-AR will avoid sending emails to addresses containing any of the following strings:
@derewrdgrs
@eerswqe
@messagelab
@microsoft
anyone@
certific
contract@
f-secur
free-av
gold-certs@
google
icrosoft
listserv
nobody@
noone@
noreply
postmaster@
rating@
samples
support
update
winrar
winzip
Sophos's anti-virus products include Genotype™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Bagle-AR (detected as W32/Bagle-Gen) since version 3.97. W32/Bagle-AR is a mass-mailing worm for the Windows platform.
W32/Bagle-AR sends a ZIP file as an email attachment. The ZIP file contains an executable detected as either Troj/BagleDl-W, Troj/BagleDl-Y or Troj/BagleDl-Z.
Once installed, this executable attempts to download further files, which may include copies of the original worm W32/Bagle-AR.
W32/Bagle-AR includes functionality to download files from the internet and store them to the location <System>\re_file.exe.
Emails sent by W32/Bagle-AR have the following characteristics:
Subject line: <Blank>
Message text chosen from:
info
texte
The password is <image>
Password: <image>
The attachment filename chosen from:
text_sms.zip
sms_text.zip
The_new_prices.zip
Info_prices.zip
Business_dealing.zip
Business.zip
Health_and_knowledge.zip
W32/Bagle-AR will avoid sending emails to addresses containing any of the following strings:
@derewrdgrs
@eerswqe
@messagelab
@microsoft
anyone@
certific
contract@
f-secur
free-av
gold-certs@
google
icrosoft
listserv
nobody@
noone@
noreply
postmaster@
rating@
samples
support
update
winrar
winzip
When first run W32/Bagle-AR copies itself to <System>\windll2.exe. The following registry entries are created:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
erthegdr
<System>\windll2.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
erthegdr
<System>\windll2.exe
W32/Bagle-AR attempts to delete registry entries from the following locations:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
These registry entries are deleted if they match any of the following strings:
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
W32/Bagle-AR terminates the following processes:
1t1epad.exe
t1es1t.exe
Sophos's anti-virus products include Genotype™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Bagle-AR (detected as W32/Bagle-Gen) since version 3.97.
|
