high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 16 December 2005 03:43:27 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
and remove any reference to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Bagle-AX is a mass-mailing worm for the Windows platform.
W32/Bagle-AX sends a ZIP file as an email attachment. The ZIP file contains an executable detected as Troj/BagleDl-AO.
Once installed, this executable attempts to download further files, which may include copies of the original worm W32/Bagle-AX. W32/Bagle-AX is a mass-mailing worm for the Windows platform.
W32/Bagle-AX sends a ZIP file as an email attachment. The ZIP file contains an executable detected as Troj/BagleDl-AO.
Once installed, this executable attempts to download further files, which may include copies of the original worm W32/Bagle-AX.
W32/Bagle-AX includes functionality to download files from the internet and store them to the location <System>\re_file.exe.
Emails sent by W32/Bagle-AX have the following characteristics:
Subject line chosen from:
Andrew
Androw
Androwe
Anthonie
Anthony
Anthonye
Bennet
Bennet
Bennett
Christean
Christian
Christian
Constance
Daniel
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edmund
Edward
Edward
Edwarde
Elizabeth
Elizabeth
Elizabethe
Emanual
Emanuel
Emanuell
Frances
Francis
Francis
Fraunces
Gabriell
Geoffraie
George
Harrye
Henrie
Henrye
Humphrey
Humphrey
Humphrie
Isabel
Isabell
Isabell
Jeames
Jeffrey
Jeffrye
Josias
Judeth
Judith
Judith
Judithe
Katherine
Katherine
Katheryne
Leonard
Leonard
Leonarde
Margaret
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Martha
Michael
Michael
Mychaell
Nathaniel
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholas
Nicholaus
Nycholas
Rebecka
Richard
Richard
Richarde
Robert
Robert
Roberte
Rycharde
Samuell
Sidney
Sindony
Stephen
Susanna
Susanna
Suzanna
Sybell
Sybyll
Syndony
Thomas
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede
Message text chosen from:
New Year's
New Year's Day.
Happy New Year
We congratulate happy New Year
The password is <image>
Password: <image>
We congratulate happy New Year
The attachment filename chosen from the same list as the subject.
W32/Bagle-AX will avoid sending emails to addresses containing any of the following strings:
@derewrdgrs
@eerswqe
@messagelab
@microsoft
anyone@
certific
contract@
f-secur
free-av
gold-certs@
google
icrosoft
listserv
nobody@
noone@
noreply
postmaster@
rating@
samples
support
update
winrar
winzip
When first run W32/Bagle-AX copies itself to <System>wind2ll2.exe. Registry entries may be created under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
|
