high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 1 March 2006 01:49:19 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry for each user who ran the virus. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
winshell
<System>\windll32lib.exe
and delete it if it exists.
Close the registry editor.
More Information
W32/Bagle-DM is a mass-mailing and peer-to-peer worm for the Windows platform.
W32/Bagle-DM includes functionality to access the internet and communicate with
a remote server via HTTP.
W32/Bagle-DM is a mass-mailing and peer-to-peer worm for the Windows platform.
W32/Bagle-DM includes functionality to access the internet and communicate with
a remote server via HTTP.
When first run W32/Bagle-DM copies itself to any folders that contain the word
'shar' in their name using the following filenames:
Adobe Photoshop 9 full.exe
Ahead Nero 10.exe
Britney Spears sex photos.exe
IE beta 7.exe
Porno Screensaver.scr
Serials 2005 database.exe
Serials.txt.exe
Windown Vista Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
anna benson sex video.exe
barrett jackson nude photos, movies, porn video.exe
jenna elfman sex anal deepthroat.exe
kate beckinsale nude pictures.exe
miss america Porno, sex, oral, anal cool, awesome!!.exe
paris hilton Porno pics arhive, xxx.exe
<System>\windll32lib.exe
and creates the following files:
<Windows>\72109.exe
<System>\windll32lib.exeopen
<System>\windll32lib.exeopenopen
<Windows>\vcremoval.dll - a text file of harvested email address and can be
safely deleted.
The following registry entry is created to run windll32lib.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winshell
<System>\windll32lib.exe
Emails sent by the worm have the following characteristics:
Subject lines chosen from:
Phshing is illigal
You are a criminal and will be busted!
You steal from innocent people
Where did you learn to scam?
<blank>
Message text chosen from:
'Dude,
I found your email from whois info of a web page that was used in spam and
illigal activity,please do something or you will be sued and busted.
Was very dumb to leave your email, asshole!
P.S Attached file is self-exatracting archive with information about your
criminal activity.'
'Hey pal. Do you know, that your webpage paypalll.comprovides a phishing
attack?
Open attached file for a proof
hmmmm it's quite nice, but I think that cops would be interested in it.
So my friend. take the page away and put a Appologize on it.
Or the Police will hear from me.
Cya my friend'
Filenames chosen from:
scam.exe
proof.exe
your_info.exe
whois_info.exe
The email message may also contain another file:
report.txt
This file contains an BASE64 encoded version of the worm as well as another
BASE64 encoded file report.txt.
The BASE64 encoded file report.txt within the message reads:
++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.com
|
