high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 21 February 2006 14:43:05 (GMT) |
| Last updated | 22 February 2006 10:00:52 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Bagle-CQ is a worm and backdoor Trojan for the Windows platform.
W32/Bagle-CQ spreads via file sharing on P2P networks and via email.
W32/Bagle-CQ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
W32/Bagle-CQ includes functionality to access the internet and communicate with a remote server via HTTP.
When first run W32/Bagle-CQ creates multiple copies of itself in various locations using the filenames :
Adobe Photoshop 9 full.exe
Ahead Nero 10.exe
Britney Spears sex photos.exe
IE beta 7.exe
Porno Screensaver.scr
Serials 2005 database.exe
Serials.txt.exe
Windown Vista Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
anna benson sex video.exe
barrett jackson nude photos, movies, porn video.exe
com
jenna elfman sex anal deepthroat
kate beckinsale nude pictures.exe
miss america Porno, sex, oral, anal cool, awesome!!.exe
paris hilton Porno pics arhive, xxx.exe
W32/Bagle-CQ creates the above-named copies in the following file-sharing related folders in order to spread via peer-to-peer networks :
\Documents and Settings\All Users\Documents\Shared Music\
<Desktop>\BearShare\
<User>\My Documents\yahoomentor\shared\
\My Shared Folder\
<Common Files>\Microsoft Shared\
<Program Files>\KaZaA Lite\My Shared Folder\
<Program Files>\KaZaA\My Shared Folder\
<Program Files>\Kmd\My Shared Folder\
<Program Files>\Limewire\My Shared Folder\
<Program Files>\Limewire\Shared\
<Program Files>\MSN Messenger\shared folder\
<Program Files>\Messenger\shared folder\
<Program Files>\Morpheus\My Shared Folder\
<Program Files>\Shareaza\
<Program Files>\bearshare\
<Program Files>\eDonkey2000\My Shared Folder\
<Program Files>\icq\shared files\
W32/Bagle-CQ sends itself as an email attachment. This attachment may be in the form of a password-protected zip file, for which it includes the password in the message text.
W32/Bagle-CQ includes functionality to download files from the internet and store them to the location <System>\re_file.exe.
Emails sent by W32/Bagle-CQ have the following characteristics:
Subject line: <Blank>
Message text chosen from:
'Password: %s'
'Pass - %s'
'Password - %s'
'Will You Be My Valentine?'
'Love you with all my heart!'
'See you tonight!'
'Come Be With Me, my Love!'
W32/Bagle-CQ will avoid sending emails to addresses containing any of the following strings:
'@hotmail'
'@microsoft'
'rating@'
'f-secur'
'update'
'anyone@'
'contract@'
'gold-certs@'
'nobody@'
'noone@'
'icrosoft'
'support'
'listserv'
'certific'
'free-av'
'@messagelab'
'winzip'
'google'
'winrar'
'samples'
'noreply'
'postmaster@'
and creates the following files:
<Temporary Internet Files>\Content.IE5\od6fwfox\ijj.t35[1].htm
<System>\lmovie.exeopen
<System>\lmovie.exeopenopen
<Windows>\vcualts32.exe
The following registry entry is created to run lmovie.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MovieM
<System>\lmovie.exe
W32/Bagle-CQ may add an entry for itself to the following registry key in order to allow itself to pass through Windows Firewall :
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
|
