W32/Bagle.AV@mm

Download VIRUSfighter NOW
W32/Bagle.AV@mm Destructivity: Spreading: Overall risk:
  
• Detected by virus detection files published: 1/26/2005 • Type: Backdoor, Worm
• Virus characteristics first published: 1/26/2005 • Spreading mechanism: Email, Network, Other
• Virus characteristics latest update: 11/28/2005 • Overall risk: Medium
• Alias: W32/Bagle.bj@MM (NAI), W32.Beagle.AY@mm (Symantec), WORM_BAGLE.AY (Trend) • Payload: Terminates AV/Firewall processes. Attempts to download material.
• Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista  

Virus type Spreading
mechanism 		Destructivity
and payload 		Additional
descriptions 		Detection
and removal
Email characteristics:
  • Subject: Several possible
  • Body:

    Several possible

  • Attachment: One of the following names: wsd01, viupd02, siupd02, guupd02, zupd02, upd02, Jol03, with .exe, .scr, .com or .cpl extension.

When the worm is first run, it will copy itself to the Windows System folder, and send mails containing itself as an attachment. In addition, it copies itself to folders containing the word "shar", and will thus be able to spread via many P2P networks. During installation, it will create the following mutexes:

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D.
 _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_.

File system changes:

Creates file <SYSDIR>\sysformat.exe
Creates file <SYSDIR>\sysformat.exeopen
Creates file <SYSDIR>\sysformat.exeopenopen

Drops files in "shar" folders:

1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

Registry changes:

Creates key HKCU\Software\Microsoft\Windows\CurrentVersion\Run sysformat="<SYSDIR>\sysformat.exe
Deletes key HKCU\Software\Microsoft\Windows\CurrentVersion\Run My AV
Deletes key HKLM\Software\Microsoft\Windows\CurrentVersion\Run My AV
Deletes key HKCU\Software\Microsoft\Windows\CurrentVersion\Run ICQ Net
Deletes key HKLM\Software\Microsoft\Windows\CurrentVersion\Run ICQ Net
Creates key HKCU\Software\Microsoft\Params "TimeKey"

Email spreading:

Subjects used :
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active

Mail body text used :
Thanks for use of our software
Before use read the help

Attachment name :
wsd01
viupd02
siupd02
guupd02
zupd02
upd02
Jol03
with .exe, .scr, .com or .cpl extension.

The worm searches local hard disks for files with the following extensions:

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

It examines these files for email addresses. It will avoid email addresses belonging to known AV companies and a few other organizations.
# - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z
To protect and serve, VirusFighter