high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 3 March 2006 13:48:21 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry for each user who ran the virus. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
win_shell
<System>\win32lib.exe
and delete it if it exists.
Close the registry editor.
More Information
W32/Bagle-DS is a mass-mailing worm and backdoor Trojan for the Windows platform.
W32/Bagle-DS spreads via file sharing on P2P networks and via email.
W32/Bagle-DS runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
W32/Bagle-DS will harvest email addresses found on the infected computer to the clean text file <Windows>\vcremoval.dll and send itself to these addresses with the following email characteristics:
Subject (one of the following):
Lawsuit against you
Call to your lawer immidiately
Pay your debts before we come to you
We wait your response.
Message text (starts with one of the following):
LAWSUIT AGAINST YOU (CLICK TO ATTACHED DOCUMENT FOR MORE INFORMATION)
Tucker's Fix-It-Quick Garage
...
LAWSUIT AGAINST YOU (CLICK TO ATTACHED DOCUMENT FOR MORE INF ORMATION)
To Whom It May Concern:
On 02, 2006, you sent a facsimile (the Fax) to my facsimile machine that is
connected to my telephone number 678-5713-1571.
...
LAWSUIT AGAINST YOU (ATTACHMENT HAS MORE INFORMATION)
1550 Peachtree Street
Atlanta, GA 30309
...
Attachment name (one of the following):
lawsuit.exe
explanation.exe
documents.exe
W32/Bagle-DS includes functionality to access the internet and communicate with a remote server via HTTP.
When first run W32/Bagle-DS copies itself to <System>\win32lib.exe, <System>\win32lib.exeopen and <System>\win32lib.exeopenopen, as well as to any folder whose name contains the word 'shar' using the following filenames:
Adobe Photoshop 9 full.exe
Ahead Nero 10.exe
anna benson sex video.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
IE beta 7.exe
jenna elfman sex anal deepthroat.exe
kate beckinsale nude pictures.exe
miss america Porno, sex, oral, anal cool, awesome!!.exe
paris hilton Porno pics arhive, xxx.exe
Porno Screensaver.scr
Serials 2005 database.exe
Serials.txt.exe
Windown Vista Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
W32/Bagle-DS contains the following text:
In a difficult world
In a nameless time
I want to survive
So, you will be mine!!
-- Bagle Author, 29.04.04, Germany.
W32/Bagle-DS is a mass-mailing worm and backdoor Trojan for the Windows platform.
W32/Bagle-DS spreads via file sharing on P2P networks and via email.
W32/Bagle-DS runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
W32/Bagle-DS will harvest email addresses found on the infected computer to the clean text file <Windows>\vcremoval.dll and send itself to these addresses with the following email characteristics:
Subject (one of the following):
Lawsuit against you
Call to your lawer immidiately
Pay your debts before we come to you
We wait your response.
Message text (starts with one of the following):
LAWSUIT AGAINST YOU (CLICK TO ATTACHED DOCUMENT FOR MORE INFORMATION)
Tucker's Fix-It-Quick Garage
...
LAWSUIT AGAINST YOU (CLICK TO ATTACHED DOCUMENT FOR MORE INF ORMATION)
To Whom It May Concern:
On 02, 2006, you sent a facsimile (the Fax) to my facsimile machine that is
connected to my telephone number 678-5713-1571.
...
LAWSUIT AGAINST YOU (ATTACHMENT HAS MORE INFORMATION)
1550 Peachtree Street
Atlanta, GA 30309
...
Attachment name (one of the following):
lawsuit.exe
explanation.exe
documents.exe
W32/Bagle-DS includes functionality to access the internet and communicate with a remote server via HTTP.
When first run W32/Bagle-DS copies itself to <System>\win32lib.exe, <System>\win32lib.exeopen and <System>\win32lib.exeopenopen, as well as to any folder whose name contains the word 'shar' using the following filenames:
Adobe Photoshop 9 full.exe
Ahead Nero 10.exe
anna benson sex video.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
IE beta 7.exe
jenna elfman sex anal deepthroat.exe
kate beckinsale nude pictures.exe
miss america Porno, sex, oral, anal cool, awesome!!.exe
paris hilton Porno pics arhive, xxx.exe
Porno Screensaver.scr
Serials 2005 database.exe
Serials.txt.exe
Windown Vista Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
The following registry entry is created to run windspl.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
win_shell
<System>\win32lib.exe
W32/Bagle-DS deletes this entry if the date is past March 10th 2006.
W32/Bagle-DS also attempts to download and execute further files from egozda.com, mimitza.com, kerrabez.com, morkovcka.com and varsshava.com.
W32/Bagle-DS contains the following text:
In a difficult world
In a nameless time
I want to survive
So, you will be mine!!
-- Bagle Author, 29.04.04, Germany.
|
