W32/Bagle-BP

Please follow the instructions for removing worms.

W32/Bagle-BP is an email worm for the Windows platform.

The email may use one of the following for a message subject:

New Year's
New Year's Day.
Happy New Year
We congratulate happy New Year

The message text may contain either "The password is <image file>" or "Password: <image file>"

Email sent by W32/Bagle-BP contains an attached ZIP file with one of the following names (followed by the ZIP file extension):

Andrew
Androw
Androwe
Anthonie
Anthony
Anthonye
Bennet
Bennet
Bennett
Christean
Christian
Christian
Constance
Daniel
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edmund
Edward
Edward
Edwarde
Elizabeth
Elizabeth
Elizabethe
Emanual
Emanuel
Emanuell
Frances
Francis
Francis
Fraunces
Gabriell
Geoffraie
George
Harrye
Henrie
Henrye
Humphrey
Humphrey
Humphrie
Isabel
Isabell
Isabell
Jeames
Jeffrey
Jeffrye
Josias
Judeth
Judith
Judith
Judithe
Katherine
Katherine
Katheryne
Leonard
Leonard
Leonarde
Margaret
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Martha
Michael
Michael
Mychaell
Nathaniel
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholas
Nicholaus
Nycholas
Rebecka
Richard
Richard
Richarde
Robert
Robert
Roberte
Rycharde
Samuell
Sidney
Sindony
Stephen
Susanna
Susanna
Suzanna
Sybell
Sybyll
Syndony
Thomas
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede

W32/Bagle-BP does not send email to addresses containing the following:

@derewrdgrs
@eerswqe
@messagelab
@microsoft
anyone@
certific
contract@
f-secur
free-av
gold-certs@
google
icrosoft
listserv
nobody@
noone@
noreply
postmaster@
rating@
samples
support
update
winrar
winzip

At the time of writing, these ZIP files and the contained EXE files are detected by Sophos's anti-virus products as Troj/BagleDl-AX. W32/Bagle-BP is an email worm for the Windows platform.

When run, W32/Bagle-BP copies itself to the Windows system folder as wind2ll2.exe and creates the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n

The email may use one of the following for a message subject:

New Year's
New Year's Day.
Happy New Year
We congratulate happy New Year

The message text may contain either "The password is <image file>" or "Password: <image file>"

Email sent by W32/Bagle-BP contains an attached ZIP file with one of the following names (followed by the ZIP file extension):

Andrew
Androw
Androwe
Anthonie
Anthony
Anthonye
Bennet
Bennet
Bennett
Christean
Christian
Christian
Constance
Daniel
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edmund
Edward
Edward
Edwarde
Elizabeth
Elizabeth
Elizabethe
Emanual
Emanuel
Emanuell
Frances
Francis
Francis
Fraunces
Gabriell
Geoffraie
George
Harrye
Henrie
Henrye
Humphrey
Humphrey
Humphrie
Isabel
Isabell
Isabell
Jeames
Jeffrey
Jeffrye
Josias
Judeth
Judith
Judith
Judithe
Katherine
Katherine
Katheryne
Leonard
Leonard
Leonarde
Margaret
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Martha
Michael
Michael
Mychaell
Nathaniel
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholas
Nicholaus
Nycholas
Rebecka
Richard
Richard
Richarde
Robert
Robert
Roberte
Rycharde
Samuell
Sidney
Sindony
Stephen
Susanna
Susanna
Suzanna
Sybell
Sybyll
Syndony
Thomas
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede

W32/Bagle-BP does not send email to addresses containing the following:

@derewrdgrs
@eerswqe
@messagelab
@microsoft
anyone@
certific
contract@
f-secur
free-av
gold-certs@
google
icrosoft
listserv
nobody@
noone@
noreply
postmaster@
rating@
samples
support
update
winrar
winzip

At the time of writing, these ZIP files and the contained EXE files are detected by Sophos's anti-virus products as Troj/BagleDl-AX.