high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | September 2004 (3.85) |
| Protection available since | 19 July 2004 18:47:02 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Bagle-AI.
More Information
W32/Bagle-AI is a member of the W32/Bagle family of email worms. W32/Bagle-AI spreads by emailing itself to addresses found on the infected computer's hard disk. The worm searches for email addresses in files with the following extensions:
WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, JSP
The worm will not send mail to addresses which contain any of the following strings:
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
W32/Bagle-AI uses its own internal SMTP engine to send email messages.
The worm sends an HTML email message with the following characteristics.
Sender:
The sender is always spoofed.
Attached file:
The name of the attached file is
MP3, Music_MP3, New_MP3_Player, Cool_MP3, Doll, Garry, Cat, Dog, Fish
with an extension of ZIP, CPL, EXE, COM or SCR file. When ZIP is used an image file may also be attached using a random name and the extension JPEG. The ZIP file is detected by Sophos Anti-Virus as W32/Bagle-Zip and contains a copy of the worm and a benign data file with an extension of INI, CFG, TXT, DOC, VXD, DEF or DLL.
Subject line:
Re:
Message text:
foto3 and MP3
fotogalary and Music
fotoinfo
lovely animals
animals
predators
the snake
screen and music
When the attachment is a password protected ZIP file the message text will also contain one of the following strings:
Password:
Pass -
Key -
W32/Bagle-AI copies itself to the Windows system folder as winxp.exe and to all folders with the string 'shar' in their names as the following files:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
W32/Bagle-AI is a member of the W32/Bagle family of email worms. W32/Bagle-AI spreads by emailing itself to addresses found on the infected computer's hard disk. The worm searches for email addresses in files with the following extensions:
WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, JSP
The worm will not send mail to addresses which contain any of the following strings:
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
W32/Bagle-AI uses its own internal SMTP engine to send email messages.
The worm sends an HTML email message with the following characteristics.
Sender:
The sender is always spoofed.
Attached file:
The name of the attached file is
MP3, Music_MP3, New_MP3_Player, Cool_MP3, Doll, Garry, Cat, Dog, Fish
with an extension of ZIP, CPL, EXE, COM or SCR file. When ZIP is used an image file may also be attached using a random name and the extension JPEG. The ZIP file is detected by Sophos Anti-Virus as W32/Bagle-Zip and contains a copy of the worm and a benign data file with an extension of INI, CFG, TXT, DOC, VXD, DEF or DLL.
Subject line:
Re:
Message text:
foto3 and MP3
fotogalary and Music
fotoinfo
lovely animals
animals
predators
the snake
screen and music
When the attachment is a password protected ZIP file the message text will also contain one of the following strings:
Password:
Pass -
Key -
W32/Bagle-AI attempts to delete the following registry entries from the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run:
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
W32/Bagle-AI copies itself to the Windows system folder as winxp.exe and to all folders with the string 'shar' in their names as the following files:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
|
