high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 9 February 2006 18:40:23 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry for each user who ran the virus. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
Regmonitor
<Windows system folder>\regmaping.exe
and delete it if it exists.
Close the registry editor.
More Information
W32/Bagle-CJ is a worm for the Windows platform.
W32/Bagle-CJ spreads via file sharing on P2P networks and via email.
W32/Bagle-CJ includes functionality to access the internet and communicate with a remote server via HTTP.
W32/Bagle-CJ will attempt to copy itself to folders whose name contains the word 'shar' using the following filenames:
Adobe Photoshop 9 full.exe
Ahead Nero 10.exe
anna benson sex video.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
IE beta 7.exe
jenna elfman sex anal deepthroat.exe
kate beckinsale nude pictures.exe
miss america Porno, sex, oral, anal cool, awesome!!.exe
paris hilton Porno pics arhive, xxx.exe
Porno Screensaver.scr
Serials 2005 database.exe
Serials.txt.exe
Windown Vista Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
W32/Bagle-CJ will attempt to harvest email addresses from the infected computer and then mail itself to those addresses as an attachment.
The subject line will be chosen at random, and the message text will contain one of the following:
"Billing department, order <Random number>-<Random number>
Dear Sir or Madam,
This notification is just a friendly reminder (not a bill or a second charge) that on 15-JAN-06, you placed an order from Symantec Store. This order was paid using your Visa, whose last 4 digits are ************2346, and will be appearing on your billing statement shortly. The charge will appear as DR *Symantec. This is just a reminder to help you recognize the charge. You will not be charged again.
You antivirus definition file is attached to this email, please install it to be perfectly protected from the latest viruses and other internet threats.
"******************************************************************
Details about your reciept attached with this email. You have to use Adobe Acrobat Reader to open it.
Transaction Number: <Random number>
This is your receipt for your $1490 purchase of a 1.0 months subscription which will appear on your statement as <Random number>-<Random number>-<Random number>.
Your membership will automatically renew per the terms and conditions.
Should you ever have any problems whatsoever, please don't hesitate to contact our live technical support staff - available 24 hours a day 7 days a week. We can be reached by phone toll free in the US at 800-534-8593. Rather use email? Drop us a line at bill@gmail.com and we'll always get back to you within an hour.
Enjoy the service!
Support
******************************************************************"
"Your email %s has exceeded its bandwidth quota in the period beginning on 2006-01-01. Your quota is set to 10485760 bytes (10.0 MB), and your email has consumed 559189702 bytes (533.285 MB) beyond that quota.
Our over-bandwidth charges are
Additional Bandwidth/Month Monthly Cost
100 Mb $200.00
200 MB $360.00
300 MB $480.00
400 MB $624.00
500 Mb $740.00 <- your over-usage
600 Mb $850.00
Our automatically generated bill is attached with this email.
Sincerely,
Sales Manager."
Attachments will have one of the folloiwng names:
Generated_bill
Order_details
Service_receipt
W32/Bagle-CJ is a worm for the Windows platform.
W32/Bagle-CJ spreads via file sharing on P2P networks and via email.
W32/Bagle-CJ includes functionality to access the internet and communicate with a remote server via HTTP.
When first run W32/Bagle-CJ copies itself to <Windows system folder>\regmaping.exe and creates the following the file <Windows folder>\winresw.exe, which is detected as W32/Bagle-CF.
The following registry entry is created to run regmaping.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Regmonitor
<Windows system folder>\regmaping.exe
W32/Bagle-CJ will attempt to copy itself to folders whose name contains the word 'shar' using the following filenames:
Adobe Photoshop 9 full.exe
Ahead Nero 10.exe
anna benson sex video.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
IE beta 7.exe
jenna elfman sex anal deepthroat.exe
kate beckinsale nude pictures.exe
miss america Porno, sex, oral, anal cool, awesome!!.exe
paris hilton Porno pics arhive, xxx.exe
Porno Screensaver.scr
Serials 2005 database.exe
Serials.txt.exe
Windown Vista Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
W32/Bagle-CJ will attempt to harvest email addresses from the infected computer and then mail itself to those addresses as an attachment.
The subject line will be chosen at random, and the message text will contain one of the following:
"Billing department, order <Random number>-<Random number>
Dear Sir or Madam,
This notification is just a friendly reminder (not a bill or a second charge) that on 15-JAN-06, you placed an order from Symantec Store. This order was paid using your Visa, whose last 4 digits are ************2346, and will be appearing on your billing statement shortly. The charge will appear as DR *Symantec. This is just a reminder to help you recognize the charge. You will not be charged again.
You antivirus definition file is attached to this email, please install it to be perfectly protected from the latest viruses and other internet threats.
"******************************************************************
Details about your reciept attached with this email. You have to use Adobe Acrobat Reader to open it.
Transaction Number: <Random number>
This is your receipt for your $1490 purchase of a 1.0 months subscription which will appear on your statement as <Random number>-<Random number>-<Random number>.
Your membership will automatically renew per the terms and conditions.
Should you ever have any problems whatsoever, please don't hesitate to contact our live technical support staff - available 24 hours a day 7 days a week. We can be reached by phone toll free in the US at 800-534-8593. Rather use email? Drop us a line at bill@gmail.com and we'll always get back to you within an hour.
Enjoy the service!
Support
******************************************************************"
"Your email %s has exceeded its bandwidth quota in the period beginning on 2006-01-01. Your quota is set to 10485760 bytes (10.0 MB), and your email has consumed 559189702 bytes (533.285 MB) beyond that quota.
Our over-bandwidth charges are
Additional Bandwidth/Month Monthly Cost
100 Mb $200.00
200 MB $360.00
300 MB $480.00
400 MB $624.00
500 Mb $740.00 <- your over-usage
600 Mb $850.00
Our automatically generated bill is attached with this email.
Sincerely,
Sales Manager."
Attachments will have one of the following names:
Generated_bill
Order_details
Service_receipt
|
