high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 15 February 2006 18:14:31 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry for each user who ran the virus. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
MovieM
<Windows system folder>\lmovie.exe
and delete it if it exists.
Close the registry editor.
More Information
W32/Bagle-CO is a worm for the Windows platform.
W32/Bagle-CO spreads via file sharing on P2P networks and via email.
Messages sent by the worm have the following characteristics:
From: an address found on the infected computer
Subject: one of
Will You Be My Valentine?
Love you with all my heart!
See you tonight!
Come Be With Me, my Love!
My dream is coming true!
Message text:
The instruction "Click to attachment to load a movie" followed by several lines of poetry, with a heart as the background image
Attachment name: one of
love_me.exe
love_me_now.exe
mplay.exe
W32/Bagle-CO is a worm for the Windows platform.
W32/Bagle-CO spreads via file sharing on P2P networks and via email.
W32/Bagle-CO sends itself to email addresses found on the infected computer. Emails sent by the worm have the following characteristics:
From: an address found on the infected computer
Subject: one of
Will You Be My Valentine?
Love you with all my heart!
See you tonight!
Come Be With Me, my Love!
My dream is coming true!
Message text:
The instruction "Click to attachment to load a movie" followed by several lines of poetry, with a heart as the background image
Attachment name: one of
love_me.exe
love_me_now.exe
mplay.exe
W32/Bagle-CO runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
W32/Bagle-CO includes functionality to access the internet and communicate with a remote server via HTTP.
When first run W32/Bagle-CO copies itself to the following filenames in any folders containing the letters "shar":
Adobe Photoshop 9 full.exe
Ahead Nero 10.exe
anna benson sex video.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
IE beta 7.exe
jenna elfman sex anal deepthroat
kate beckinsale nude pictures.exe
miss america Porno, sex, oral, anal cool, awesome!!.exe
paris hilton Porno pics arhive, xxx.exe
Porno Screensaver.scr
Serials 2005 database.exe
Serials.txt.exe
Windown Vista Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
W32/Bagle-CO copies itself to the file lmovie.exe in the Windows system folder and creates following registry entry to run itself on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MovieM
<Windows system folder>\lmovie.exe
W32/Bagle-CO creates the file vcaults32.exe in the Windows folder. This file (also detected as W32/Bagle-CO) attempts to download and execute files from preconfigured URLs.
When first run, W32/Bagle-CO displays the following fake error message:
Title: Error!
Message: Can't find a viewer associated with the file.
|
