|
Bagz.F will delete any registry entries which contain references to any of these strings in its value: - mpfagent.exe
- mpfconsole.exe
- mpfservice.exe
- mpftray.exe
- mpfui.dll
- mpfupdchk.dll
- mpfwizard.exe
- mvtx.exe
- dunzip32.dll
- mcappins.exe
- mcinfo.exe
- mghtml.exe
- 804mbd1.chk
- 804mbd1.img
- appinit.ini
- ashldres.dll
- edisk.dll
- emscnres.dll
- ftscnres.dll
- imscnbin.inf
- imscnres.inf
- mcavtsub.dll
- mcmnhdlr.exe
- mcscan32.dll
- mcshield.exe
- mcurial.dll
- mcvsctl.dll
- mcvsescn.exe
- mcvsftsn.exe
- mcvsmap.exe
- mcvsrte.exe
- mcvsscrp.dll
- mcvsshl.dll
- mcvsshld.exe
- mcvsskt.dll
- mcvsworm.dll
- naiann.dll
- naievent.dll
- ntclient.dll
- outscan.dll
- outscres.dll
- patchw32.dll
- scan.dat
- scanserv.dll
- scrpres.dll
- scrpsbin.inf
- scrstres.inf
- shextbin.inf
- shextres.inf
- shlres.dll
- vsagntui.dll
- mcshield.dll
- vsoui.dll
- vsoupd.dll
- vsowow.dll
- wormres.dll
- alert.zap
- email.zap
- filter.zap
- firewall.zap
- framewrk.dll
- idlock.zap
- programs.zap
- security.zap
- tutorwiz.dll
- zatutor.exe
- zauninst.exe
- zav.zap
- zlclient.exe
- zl_priv.htm
- zonealarm.exe
- camupd.dll
- cerbprovider.pvx
- ssleay32.dll
- vsavpro.dll
- vsdb.dll
- vsmon.exe
- vsruledb.dll
- vsvault.dll
- zlparser.dll
- aboutplg.dll
- apwcmdnt.dll
- apwutil.dll
- avcompbr.dll
- avres.dll
- bootwarn.exe
- ccavmail.dll
- ccimscan.dll
- ccimscn.exe
- cfgwiz.exe
- cfgwzres.dll
- defalert.dll
- djsalert.dll
- ltchkres.dll
- n32call.dll
- n32exclu.dll
- navap32.dll
- navapscr.dll
- navapsvc.exe
- navapw32.dll
- navapw32.exe
- navcfgwz.dll
- navcomui.dll
- naverror.dll
- navevent.dll
- navlcom.dll
- navlnch.dll
- navlogv.dll
- navlucbk.dll
- navntutl.dll
- navoptrf.dll
- navopts.dll
- navprod.dll
- navshext.dll
- navstats.dll
- navstub.exe
- navtasks.dll
- navtskwz.dll
- navui.dll
- navui.nsi
- navuihtm.dll
- navw32.exe
- navwnt.exe
- netbrext.dll
- oeheur.dll
- officeav.dll
- opscan.exe
- patch25d.dll
- probegse.dll
- ptchinst.dll
- qconres.dll
- qconsole.exe
- qspak32.dll
- quar32.dll
- quarantine
- quaropts.dat
- s32integ.dll
- s32navo.dll
- savrt.sys
- savrt32.dll
- savrtpel.sys
- savscan.exe
- scandlvr.dll
- scandres.dll
- scanmgr.dll
- scriptui.dll
- sdpck32i.dll
- sdsnd32i.dll
- sdsok32i.dll
- sdstp32i.dll
- statushp.dll
- symnavo.dll
- ashavast.exe
- ashbug.exe
- ashchest.exe
- ashdisp.exe
- ashlogv.exe
- ashmaisv.exe
- ashpopwz.exe
- ashquick.exe
- ashserv.exe
- ashsimpl.exe
- ashskpcc.exe
- ashskpck.exe
- aswboot.exe
- aswregsvr.exe
- aswupdsv.exe
- sched.exe
- persfw.exe
- pfwadmin.exe
The worm also overwrites the hosts file, blocking access to the following domains: - ads.fastclick.net
- ar.atwola.com
- atdmt.com
- avp.ch
- avp.com
- avp.ru
- awaps.net
- banner.fastclick.net
- banners.fastclick.net
- ca.com
- click.atdmt.com
- clicks.atdmt.com
- dispatch.mcafee.com
- download.mcafee.com
- download.microsoft.com
- downloads.microsoft.com
- engine.awaps.net
- fastclick.net
- f-secure.com
- ftp.f-secure.com
- ftp.sophos.com
- go.microsoft.com
- liveupdate.symantec.com
- mast.mcafee.com
- mcafee.com
- media.fastclick.net
- msdn.microsoft.com
- my-etrust.com
- nai.com
- networkassociates.com
- office.microsoft.com
- phx.corporate-ir.net
- secure.nai.com
- securityresponse.symantec.com
- service1.symantec.com
- sophos.com
- spd.atdmt.com
- support.microsoft.com
- symantec.com
- update.symantec.com
- updates.symantec.com
- us.mcafee.com
- vil.nai.com
- viruslist.ru
- windowsupdate.microsoft.com
- www.avp.ch
- www.avp.com
- www.avp.ru
- www.awaps.net
- www.ca.com
- www.fastclick.net
- www.f-secure.com
- www.kaspersky.ru
- www.mcafee.com
- www.my-etrust.com
- www.nai.com
- www.networkassociates.com
- www.sophos.com
- www.symantec.com
- www.trendmicro.com
- www.viruslist.ru
- www3.ca.com
|
Spreading: