W32/Bagle-CH

Aliases	Email-Worm.Win32.Bagle.fj W32/Bagle.dp!M328 W32.Beagle.DL@mm WORM_BAGLE.CL CME-328
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments Peer-to-peer
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	March 2006 (4.03)
Protection available since	7 February 2006 15:06:38 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry for each user who ran the virus. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
sysformat
<System>\sysformat.exe

and delete it if it exists.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Bagle-CH is a mass-mailing worm for the Windows platform.

W32/Bagle-CH will attempt to harvest email addresses from the infected computer and then mail itself to those addresses as an attachment.

Messages sent by the worm have the following characteristics:

Sender: an address harvested from the infected computer

Subject: price

Message text: February Price

Attachment name: chosen at random from

price.zip
pricelst.zip
pricelist.zip
price_lst.zip
new_price.zip
February_price.zip
21_price.zip

The zip contains two files:
<random1>.exe : the W32/Bagle-CH executable
<random2> (no extension) : a text file containing random lowercase characters

W32/Bagle-CH will attempt to copy itself to folders whose name contains the word 'shar' using the following filenames:

1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

The worm will not function after the 30th of April, 2007.

When first run W32/Bagle-CH copies itself to <System>\sysformat.exe.

The following registry entry is created to run sysformat.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
sysformat
<System>\sysformat.exe

W32/Bagle-CH sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).

Registry entries are created under:

HKCU\Software\Microsoft\Params\

The worm will also attempt to modify the Windows HOSTS file and terminate various anti-virus and security related processes.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Bagle-CH

Summary

Action

More Information