Sophos

W32/Bagle-AU

Aliases
  • I-Worm.Bagle.at
  • WORM_BAGLE.AT
  • W32/Bagle.bb@MM
  • CME-245
  • CME-473
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Email messages
  • Email attachments
  • Network shares
Affected operating systems Windows
Characteristics
  • Drops more malware
Protection available since 29 October 2004 10:24:53 (GMT)
Last updated 29 October 2004 15:49:14 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Bagle-AU is an email and peer-to-peer worm.

W32/Bagle-AU attempts email itself to addresses harvested from the infected machine, as well as copying itself to file-sharing folders.

W32/Bagle-AU will also attempt to download files from a remote website.

Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Bagle-AU (detected as W32/Bagle-Gen) since version 3.86. W32/Bagle-AU is an email and peer-to-peer worm.

The dropper component of W32/Bagle-AU drops the main file to a the Windows folder with the filename CJECTOR.EXE. The dropped component then copies itself to the Windows system folder with the filename WINGO.EXE and creates an entry in the registry at the following location so as to run itself on system startup, resetting this value many times a second:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\wingo

W32/Bagle-AU also copies itself to a number of file-sharing folders with the following filenames:

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

W32/Bagle-AU may also copy itself to the Windows system folder with the filenames WINGO.EXEOPEN and WINGO.EXEOPENOPEN.

W32/Bagle-AU may attempt to change its icon using ones found on the infected computer.

W32/Bagle-AU attempts to delete any of the following values from the registry entries HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Run, to prevent certain software from running on system startup:

9XHtProtect
Antivirus
EasyAV
FirewallSvr
HtProtect
ICQ Net
ICQNet
Jammer2nd
KasperskyAVEng
MsInfo
My AV
NetDy
Norton Antivirus AV
PandaAVEngine
service
SkynetsRevenge
Special Firewall Service
SysMonXP
Tiny AV
Zone Labs Client Ex

W32/Bagle-AU attempts to stop services with a display name of "SharedAccess" or "wscsvc".

W32/Bagle-AU sets the following time-related registry entry:

HKCU\Software\Microsoft\Params\TimeKey

W32/Bagle-AU attempts to download and execute a number of files from remote websites to RE_FILE.EXE in the Windows system folder. At the time of writing these files were unavailable for download.

W32/Bagle-AU attempts to send itself via email to addresses harvested from files found on the infected computer with the following extensions:

WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, JSP.

The emails have the following characteristics:
Subject line:
Re:
Re: Hello
Re: Thank you!
re: Thanks :)
Re: Hi

Message text:
:)
:))

Attachment name:
Price
price
Joke

Attachment extension:
EXE
SCR
COM
CPL

W32/Bagle-AU will not send itself to addresses containing the following strings:

@avp.
@foo
@hotmail
@iana
@messagelab
@microsoft
@msn
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
feste
free-av
f-secur
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip

W32/Bagle-AU attempts to terminate the following processes:

alogserv.exe
APVXDWIN.EXE
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
Avconsol.exe
AVENGINE.EXE
AVPUPD.EXE
Avsynmgr.exe
AVWUPD32.EXE
AVXQUAR.EXE
AVXQUAR.EXE
bawindo.exe
blackd.exe
ccApp.exe
ccEvtMgr.exe
ccProxy.exe
ccPxySvc.exe
CFIAUDIT.EXE
DefWatch.exe
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
FrameworkService.exe
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
LUCOMS~1.EXE
mcagent.exe
mcshield.exe
MCUPDATE.EXE
mcvsescn.exe
mcvsrte.exe
mcvsshld.exe
navapsvc.exe
navapsvc.exe
navapsvc.exe
navapw32.exe
NISUM.EXE
nopdb.exe
NPROTECT.EXE
NPROTECT.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
PavFires.exe
pavProxy.exe
pavsrv50.exe
Rtvscan.exe
RuLaunch.exe
SAVScan.exe
SHSTAT.EXE
SNDSrvc.exe
symlcsvc.exe
UPDATE.EXE
UpdaterUI.exe

Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Bagle-AU (detected as W32/Bagle-Gen) since version 3.86.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer