high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 21 February 2006 14:43:05 (GMT) |
| Last updated | 22 February 2006 10:00:52 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Bagle-CZ is a mass-mailing worm for the Windows platform.
When first run W32/Bagle-CZ copies itself to <System>\wind2ll2.exe.
W32/Bagle-CZ sends itself as an email attachment. This attachment may be in the form of a password-protected zip file, for which it includes the password in the message text.
W32/Bagle-CZ includes functionality to download files from the internet and store them to the location <System>\re_file.exe.
Emails sent by W32/Bagle-CZ have the following characteristics:
Subject line: <Blank>
Message text chosen from:
'New Year's'
'New Year's Day.'
'Happy New Year'
'We congratulate happy New Year'
'The password is <image>'
'Password: <image>'
W32/Bagle-CZ will avoid sending emails to addresses containing any of the following strings:
@derewrdgrs
@eerswqe
@messagelab
@microsoft
anyone@
certific
contract@
f-secur
free-av
gold-certs@
google
icrosoft
listserv
nobody@
noone@
noreply
postmaster@
rating@
samples
support
update
winrar
winzip
W32/Bagle-CZ creates the following registry entries to run itself on startup :
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
<random string>
<System>\windll2.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
<random string>
<System>\windll2.exe
W32/Bagle-CZ terminates the following processes:
1t1epad.exe
t1es1t.exe
|
