Sophos

W32/Bagle-GO

Aliases
  • Trojan-PSW.Win32.LdPinch.hk
  • W32.Areses.A@mm
  • WORM_ARESES.C
  • Trojan-Dropper.Win32.Agent.ami
  • WORM_ARESES.GEN
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Email attachments
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 17 April 2006 15:47:20 (GMT)
Cleanup available since April 2006
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Bagle-GO is a mass-mailing worm for the Windows platform.

Messages sent by the worm will have the following characteristics:

Subject: chosen randomly from

=?koi8-r?Q?=F0=D2=C9=D7=C5=D4=2C=CB=C1=CB=C9=C5_ =CE=CF=D7=CF=D3=D4=C9=3F?=

=?koi8-r?Q?=F4=D9_=D3=C5=C7=CF=C4=CE=D1_=CB=CF_ =CD=CE=C5_=D0=D2=C9=C5=C4?=
=?koi8-r?Q?=C5=DB=D8=3F?=

=?koi8-r?Q?=F1_=D4=C5=C2=D1_=D3=C5=C7=CF=C4=CE=D1_ =D7=C9=C4=C5=CC=C1?=

Message text: non-Latin characters

Attachment name: chosen randomly from

new.cab
me.cab
you.cab
cool.cab
Re.cab

The attachment contains a file with a random basename and one of the following double extensions:

.cab .cpl
.doc .cpl
.txt .cpl
.avi .cpl
.mpeg .cpl

W32/Bagle-GO contains functionality to download and install updated versions of itself from preconfigured URLs. W32/Bagle-GO is a mass-mailing worm for the Windows platform.

Messages sent by the worm will have the following characteristics:

Subject: chosen randomly from

=?koi8-r?Q?=F0=D2=C9=D7=C5=D4=2C=CB=C1=CB=C9=C5_ =CE=CF=D7=CF=D3=D4=C9=3F?=

=?koi8-r?Q?=F4=D9_=D3=C5=C7=CF=C4=CE=D1_=CB=CF_ =CD=CE=C5_=D0=D2=C9=C5=C4?=
=?koi8-r?Q?=C5=DB=D8=3F?=

=?koi8-r?Q?=F1_=D4=C5=C2=D1_=D3=C5=C7=CF=C4=CE=D1_ =D7=C9=C4=C5=CC=C1?=

Message text: non-Latin characters

Attachment name: chosen randomly from

new.cab
me.cab
you.cab
cool.cab
Re.cab

The attachment is a CAB archive detected as W32/Bagle-GN, and contains a file with a random basename and one of the following double extensions:

.cab .cpl
.doc .cpl
.txt .cpl
.avi .cpl
.mpeg .cpl

This CPL file is also detected as W32/Bagle-GO.

When run, a filename with the same name as itself but without the CPL extension containing non-Latin characters may dropped to the current folder and opened.

When first run W32/Bagle-GO copies itself to <Windows>\csrss.exe and to <Temp>\ntsys.exe.

The following registry entry is changed to run W32/Bagle-GO on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Debugger
<Windows>\csrss.exe

W32/Bagle-GO creates registry entries for its own use beneath

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices

W32/Bagle-GO contains functionality to download and install updated versions of itself from preconfigured URLs.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer