W32/Bagle-CF

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments Peer-to-peer
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	4 February 2006 03:49:12 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry for each user who ran the virus. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
DsplObjects
<System>\windspl.exe

and delete it if it exists.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Bagle-CF is a mass-mailing worm and backdoor Trojan for the Windows platform.

W32/Bagle-CF spreads via file sharing on P2P networks and via email.

W32/Bagle-CF runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

W32/Bagle-CF includes functionality to access the internet and communicate with a remote server via HTTP. W32/Bagle-CF is a mass-mailing worm and backdoor Trojan for the Windows platform.

W32/Bagle-CF spreads via file sharing on P2P networks and via email.

W32/Bagle-CF runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

W32/Bagle-CF includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Bagle-CF copies itself to <System>\windspl.exe and any folder whose name contains the word 'shar' using the following filenames:

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
KAV 5.0
Kaspersky Antivirus 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno Screensaver.scr
Porno pics arhive, xxx.exe
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

and creates the following files:

<Temporary Internet Files>\Content.IE5\4ha3op6f\ijj.t35[1].html
<Windows>\regisp32.exe
<System>\windspl.exeopen
<System>\windspl.exeopenopen

The following registry entry is created to run windspl.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
DsplObjects
<System>\windspl.exe

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Bagle-CF

Summary

Action

More Information