high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | August 2006 (4.08) |
| Protection available since | 26 June 2006 17:59:21 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Bagle-KJ is an email worm for the Windows platform.
W32/Bagle-KJ searches an infected computer for email addresses to send itself
to. Emails have the following characteristsics:
Subject line: <Random name of a person>
Message text chosen from:
To the beloved
I love you
Attachment filename: <Random name of a person> W32/Bagle-KJ is an email worm for the Windows platform.
W32/Bagle-KJ searches an infected computer for email addresses to send itself
to. Emails have the following characteristsics:
Subject line: <Random name of a person>
Message text chosen from:
To the beloved
I love you
Attachment filename: <Random name of a person>
When first run, W32/Bagle-KJ copies itself to the following location:
<Current user>\Application Data\hidn\hidn2.exe
and drops a file named m_hook.sys to the same location.
The following registry entry is created in order to automatically start
W32/Bagle-KJ when an infected computer starts:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
drv_st_key
<Path to worm>
The file m_hook.sys is a device driver used to hide the worm on an infected
computer, and also attempt to terminate any security programs running on the
system. It is also detected as W32/Bagle-KJ.
m_hook.sys is registered as a service, creating entries under:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
W32/Bagle-KJ deletes the following registry entries, affecting the safe-mode
boot configurations:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
|
