high
Summary
Summary
Action- More Information
| Included in our products from | April 2004 (3.80) |
|---|---|
| Protection available since | 28 February 2004 01:00:08 (GMT) |
| Last updated | 28 February 2004 08:05:11 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please follow the instructions for removing W32/Bagle-C.
More Information
W32/Bagle-C is an email worm which sends itself via its own SMTP engine to addresses harvested from your hard disk.
The worm appears with a Microsoft Office 2000 Excel icon. When run the worm
opens NOTEPAD.EXE, copies itself to the Windows system folder as README.EXE and creates the following files in the same folder:
DOC.EXE - a DLL plugin used to load ONDE.EXE
ONDE.EXE - the main DLL component of the worm
README.EXEOPEN - a copy of the worm in ZIP format
W32/Bagle-C adds the value:
gouday.exe = <SYSTEM>\readme.exe
to the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/Bagle-C runs every time you logon to your computer:
W32/Bagle-C also creates the following registry entries:
HKCU\Software\DateTime2\frun=1
HKCU\Software\DateTime2\port=2745
HKCU\Software\DateTime2\uid=<number>
Emails have the following characteristics:
Subject lines:
Price
New Price-list
Hardware devices price-list
Weekly activity report
Daily activity report
Maria
Jenny
Jessica
Registration confirmation
USA government abolishes the capital punishment
Freedom for everyone
Flayers among us
From Hair-cutter
Melissa
Camila
Price-list
Pricelist
Price list
Hello my friend
Hi!
Well...
Greet the day
The account
Looking for the report
You really love me? he he
You are dismissed
Accounts department
From me
Monthly incomings summary
The summary
Proclivity to servitude
Ahtung!
The employee
There is no message text.
Attached file: a randomly named ZIP archive
W32/Bagle-C opens up a backdoor on port 2745 and listens for connections. If it receives the appropriate command it attempts to download and execute a file. W32/Bagle-C also makes a web connection to a remote URL, thus reporting the location and open port of infected computers.
The worm terminates processes with the following names:
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
If the date is after 14 March 2004, W32/Bagle-C terminates itself and deletes all the registry entries it created when it first ran.
|
