high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | March 2006 (4.03) |
| Protection available since | 3 February 2006 23:06:59 (GMT) |
| Last updated | 7 February 2006 15:06:38 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Bagle-CL is a worm for the Windows platform.
W32/Bagle-CL attempts to remove services, processes, files and registry entries associated with anti-virus and security software.
When run, W32/Bagle-CL copies itself to the Windows system folder as sysformat.exe and creates the following registry entry in order to run each time a user logs on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
sysformat
"<Windows system folder>\sysformat.exe"
The following registry entries may also be set:
HKCU\Software\Microsoft\Params
FirstRun
dword:00000001
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
dword:00000004
W32/Bagle-CL attempts to download and install a file from several remote sites.
The worm harvests email addresses from files on the infected computer. Email sent by W32/Bagle-CL may have the following properties:
Subject line:
Is delivered mail
Registration is accepted
Delivery Service mail
You are made active
Message text:
Before use read the help
Thanks for use of our software.
Mail sent by W32/Bagle-CL contains a randomly named ZIP file containing a randomly named file with the EXE file extension. The ZIP file may contain a second file with random name and no file extension. Sophos's anti-virus products detect the ZIP file as W32/Bagle-ZIP and the contained EXE file as W32/Bagle-CL.
The TO and FROM addresses in each generated message are chosen from the harvested list of addresses.
|
