high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 5 October 2004 07:50:37 (GMT) |
| Last updated | 13 May 2005 08:47:52 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
syslogin.exe = syslogin.exe
and delete it if it exists.
Close the registry editor.
More Information
W32/Bagz-B is mass mailing network worm. It also contains a backdoor which allows an intruder to instruct it to download and install further components.
W32/Bagz-B may also try to disable the Windows default firewall on startup.
W32/Bagz-B will attempt to harvest email addresses from the "Document and setting" folder on the local machine with names such as *.txt, *.htm, *.htm, *,dbx, *.tbi, *.tbb. The email it sends will contain an attachment either in ZIP format or in a binary file. It will contain the following subject lines:
"last request before refunding"
"re: user id update"
"fwd: your funds are eligible for withdrawal"
"find a solution with this customer"
"no subject"
"re: help desk registration"
"failure notice"
"fwd: password"
"when should i call you?"
"re: re: a question"
"knowledge base article"
"open invoices"
"returned mail: see transcript for details"
"building maintenance"
"[fwd: broken link]"
"winxp"
"troubles are back again"
"questions"
"order approval"
"units available"
"progress news"
"big announcements"
"need help pls"
"you have recieved an ecard!"
"what is this ????"
"deactivation notice"
"message recieved, please confirm"
"my funny stories"
"cost inquiry"
"re: payment"
"referrences"
"webmail invite"
"re: quote request"
Attachments can use the following names:
arch.doc<spaces>.exe
arch.zip
archive.doc<spaces>.exe
archive.zip
atach.doc<spaces>.exe
atach.zip
att.doc<spaces>.exe
att.zip
contact.doc<spaces>.exe
contact.zip
db.doc<spaces>.exe
db.zip
dl.exe
doc.doc<spaces>.exe
doc.zip
documents.doc<spaces>.exe
documents.zip
file.doc<spaces>.exe
file.zip
ipdb.dll
jobdb.dll
mail.doc<spaces>.exe
mail.zip
message.doc<spaces>.exe
message.zip
messages.doc<spaces>.exe
messages.zip
msg.doc<spaces>.exe
msg.zip
read.doc<spaces>.exe
read.zip
readme.doc<spaces>.exe
readme.zip
support.doc<spaces>.exe
support.zip
syslogin.exe
tutorial.doc<spaces>.exe
warning.doc<spaces>.exe
warning.zip
W32/Bagz-B will keep a copy of the above files in the folder %system32%. Other than the above, it will also drop the following components:
%system32%/dl.exe
%system32%/syslogin.exe
%system32%/ipdb.dll
%system32%/jobdb.dll
And also create the following autorun registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
syslogin.exe = syslogin.exe
|
