high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | February 2007 (4.14) |
| Protection available since | 12 December 2006 22:23:07 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Bagle-QW is a worm for the Windows platform.
W32/Bagle-QW spreads via email within a ZIP file.
W32/Bagle-QW includes functionality to access the internet and communicate with a remote server via HTTP. W32/Bagle-QW is a worm for the Windows platform.
W32/Bagle-QW spreads via email within a ZIP file.
W32/Bagle-QW includes functionality to access the internet and communicate with a remote server via HTTP.
When first run W32/Bagle-QW copies itself to:
<User>\Application Data\hidn\hidn2.exe
<User>\Application Data\hidn\hldrrr.exe
and creates the following files:
\error.txt - harmless file
\temp.zip - also detected as W32/Bagle-QW
The following registry entry is created to run hidn2.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
drv_st_key
<User>\Application Data\hidn\hidn2.exe
W32/Bagle-QW sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
Registry entries are created under:
HKCU\Software\FirstRun
Emails sent by the worm have the following characteristics:
Subject line chosen from:
new <date>
price<date>
price_ <date>
price_new <date>
The message text may be empty.
The attached file is named:
new_price<date>.zip
price_list<date>.zip
latest_price<date>.zip
<date> is the date the email was sent in the following format 12-Dec-2006.
|
