high
Summary
Summary
Action- More Information
| Included in our products from | March 2004 (3.79) |
|---|---|
| Protection available since | 19 January 2004 01:56:18 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Bagle-A.
More Information
W32/Bagle-A is a worm that sends itself to addresses harvested from files on the hard disk. The worm spoofs the "From" field in emails it sends, which means that it may appear to have come from someone you know.
W32/Bagle-A arrives in an email with the following characteristics:
Subject line: Hi
Message text:
Test =)
[random characters]
--
Test, yep.
Attached file: <random name>.exe
The attached file may appear as a calculator icon. The worm deliberately launches the Calculator application as a disguise.
W32/Bagle-A copies itself to bbeagle.exe in the Windows system folder and sets the following registry entry to ensure the worm is run at logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe
The worm also sets the following registry entries:
HKCU\Software\Windows98\uid
HKCU\Software\Windows98\frun
W32/Bagle-A includes a backdoor component which listens on TCP port 6777. This allows an attacker to upload and execute arbitrary programs on infected computers.
Note that W32/Bagle-A will not activate if the system date is 28 January 2004 or later.
|
