high
Summary
Summary
Action- More Information
| Included in our products from | May 2004 (3.81) |
|---|---|
| Protection available since | 29 March 2004 07:48:29 (GMT) |
| Last updated | 29 March 2004 08:05:17 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Bagle-V is a member of the W32/Bagle family of worms.
When first run the worm attempts to run an application called dreder.exe.
In order to run automatically when the user logs on to the computer the worm copies itself to the file sysinfo.exe in the Windows system folder and creates the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sysinfo.exe
W32/Bagle-V also creates the following registry entries:
HKCU\Software\Windows2005\gsed
HKCU\Software\Windows2005\fr1n
W32/Bagle-V scans all fixed drives recursively for files with extensions WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM and JSP, harvests email addresses from them and sends itself as an attachment to the addresses extracted. Email addresses belonging to the domains AVP and Microsoft are avoided.
The emails sent by the worm have an empty subject line and no message text. The attached file is called game.exe. The sender address is spoofed (chosen from addresses found on the system).
The worm listens on TCP port 4751 and sends registration information containing this port number to a remote web site. This port can be used by a remote attacker to update the worm. The uploaded file will be dropped as a random EXE filename starting with the string "bsud" into the Windows folder and executed. If the update is successful the original worm file is deleted.
After the end of 2004 the worm will remove itself from the system.
|
