W32/Bagle-GM

Please follow the instructions for removing worms.

W32/Bagle-GM is a mass-mailing worm for the Windows platform.

Messages sent by the worm will have the following characteristics:

Subject: chosen randomly from

=?koi8-r?Q?=F0=D2=C9=D7=C5=D4=2C=CB=C1=CB=C9=C5_=CE=CF=D7=CF=D3=D4=C9=3F?=

=?koi8-r?Q?=F4=D9_=D3=C5=C7=CF=C4=CE=D1_=CB=CF_=CD=CE=C5_=D0=D2=C9=C5=C4?=
=?koi8-r?Q?=C5=DB=D8=3F?=

=?koi8-r?Q?=F1_=D4=C5=C2=D1_=D3=C5=C7=CF=C4=CE=D1_=D7=C9=C4=C5=CC=C1?=

Message text: non-Latin characters

Attachment name: chosen randomly from

new.cab
me.cab
you.cab
cool.cab
Re.cab W32/Bagle-GM is a mass-mailing worm for the Windows platform.

Messages sent by the worm will have the following characteristics:

Subject: chosen randomly from

=?koi8-r?Q?=F0=D2=C9=D7=C5=D4=2C=CB=C1=CB=C9=C5_=CE=CF=D7=CF=D3=D4=C9=3F?=

=?koi8-r?Q?=F4=D9_=D3=C5=C7=CF=C4=CE=D1_=CB=CF_=CD=CE=C5_=D0=D2=C9=C5=C4?=
=?koi8-r?Q?=C5=DB=D8=3F?=

=?koi8-r?Q?=F1_=D4=C5=C2=D1_=D3=C5=C7=CF=C4=CE=D1_=D7=C9=C4=C5=CC=C1?=

Message text: non-Latin characters

Attachment name: chosen randomly from

new.cab
me.cab
you.cab
cool.cab
Re.cab

The attachment is a CAB archive containing a file with a random basename and one of the following double extensions:

.cab .cpl
.doc .cpl
.txt .cpl
.avi .cpl
.mpeg .cpl

This file is also detected as W32/Bagle-GM.

When first run W32/Bagle-GM copies itself to <Windows folder>\csrss.exe.

The following registry entry is changed to run W32/Bagle-GM on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Debugger
<Windows folder>\csrss.exe

W32/Bagle-GM creates registry entries for its own use beneath

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices

W32/Bagle-GM contains functionality to download and install updated versions of itself from preconfigured URLs.