W32/Bagle-U

Please follow the instructions for removing worms.

Please follow the instructions for removing W32/Bagle-U.

W32/Bagle-U is a member of the W32/Bagle family of worms.

The worm starts the mshearts application on the system when active.

In order to run automatically when Windows starts up the worm copies itself to the file gigabit.exe in the Windows system folder and sets the following registry entry to point to this file:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gigabit.exe

W32/Bagle-U also creates the following registry entries:

HKCU\Software\Windows2004\gsed
HKCU\Software\Windows2004\fr1n

The worm listens on port 4751 and sends registration information containing this port number to a remote web site. This port can be used by a remote attacker to update the worm. The uploaded file will be dropped as a random EXE filename starting with the string 'bsud' into the Windows folder and executed. If the file was dropped successfully the original worm file will be deleted.

W32/Bagle-U scans all fixed drives recursively for WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM and JSP files, extracts email addresses from them and sends itself as an attachment to the found addresses.

Email addresses belonging to the domains AVP and Microsoft are skipped.

The emails send by the worm have an empty subject line and no message text and the attachment file names are random strings with an EXE extension. The sender address is spoofed and choosen from the list of addresses found on the system.

After the end of 2004 the worm will remove itself from the system.