high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 12 December 2006 22:23:07 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
You can also download the Sophos Bagle Removal Tool.
More Information
To remove Bagle you can download the Sophos Bagle Removal Tool.
W32/Bagle-QW is a worm for the Windows platform.
W32/Bagle-QW spreads via email within a ZIP file.
W32/Bagle-QW includes functionality to access the internet and communicate with a remote server via HTTP. W32/Bagle-QW is a worm for the Windows platform.
W32/Bagle-QW spreads via email within a ZIP file.
W32/Bagle-QW includes functionality to access the internet and communicate with a remote server via HTTP.
When first run W32/Bagle-QW copies itself to:
<User>\Application Data\hidn\hidn2.exe
<User>\Application Data\hidn\hldrrr.exe
and creates the following files:
\error.txt - harmless file
\temp.zip - also detected as W32/Bagle-QW
The following registry entry is created to run hidn2.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
drv_st_key
<User>\Application Data\hidn\hidn2.exe
W32/Bagle-QW sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
Registry entries are created under:
HKCU\Software\FirstRun
Emails sent by the worm have the following characteristics:
Subject line chosen from:
new <date>
price<date>
price_ <date>
price_new <date>
The message text may be empty.
The attached file is named:
new_price<date>.zip
price_list<date>.zip
latest_price<date>.zip
<date> is the date the email was sent in the following format 12-Dec-2006.
|
