W32/Bagle-EX

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments Web downloads
Affected operating systems	Windows
Protection available since	23 December 2005 00:13:04 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Bagle-EX is an email worm for the Windows platform.

The worm sends email with ZIP file attachments and various subjects and message texts. At the time of writing, these ZIP files and the contained EXE files are detected by Sophos's anti-virus products as Troj/BagleDl-AY.

The email may use one of the following for a message subject:

New Year's
New Year's Day.
Happy New Year
We congratulate happy New Year

The message text may contain either "The password is <image file>" or "Password: <image file>" W32/Bagle-EX is an email worm for the Windows platform.

When run, W32/Bagle-EX copies itself to the Windows system folder as wind2ll2.exe and creates the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n

W32/Bagle-EX does not send email to addresses containing the following:

@derewrdgrs
@eerswqe
@messagelab
@microsoft
anyone@
certific
contract@
f-secur
free-av
gold-certs@
google
icrosoft
listserv
nobody@
noone@
noreply
postmaster@
rating@
samples
support
update
winrar
winzip

Email sent by W32/Bagle-EX contains an attached ZIP file with one of the following names (followed by the ZIP file extension):

Andrew
Androw
Androwe
Anthonie
Anthony
Anthonye
Bennet
Bennet
Bennett
Christean
Christian
Christian
Constance
Daniel
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edmund
Edward
Edward
Edwarde
Elizabeth
Elizabeth
Elizabethe
Emanual
Emanuel
Emanuell
Frances
Francis
Francis
Fraunces
Gabriell
Geoffraie
George
Harrye
Henrie
Henrye
Humphrey
Humphrey
Humphrie
Isabel
Isabell
Isabell
Jeames
Jeffrey
Jeffrye
Josias
Judeth
Judith
Judith
Judithe
Katherine
Katherine
Katheryne
Leonard
Leonard
Leonarde
Margaret
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Martha
Michael
Michael
Mychaell
Nathaniel
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholas
Nicholaus
Nycholas
Rebecka
Richard
Richard
Richarde
Robert
Robert
Roberte
Rycharde
Samuell
Sidney
Sindony
Stephen
Susanna
Susanna
Suzanna
Sybell
Sybyll
Syndony
Thomas
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede

At the time of writing, these ZIP files and the contained EXE files are detected by Sophos's anti-virus products as Troj/BagleDl-AY.

The email may use one of the following for a message subject:

New Year's
New Year's Day.
Happy New Year
We congratulate happy New Year

The message text may contain either "The password is <image file>" or "Password: <image file>"

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Bagle-EX

Summary

Action

More Information