Content
W32/Bagle.do@MM
- Type
- Virus
- SubType
- Discovery Date
- 02/03/2006
- Length
- Minimum DAT
- 4659 (12/26/2005)
- Updated DAT
- 4782 (06/12/2006)
- Minimum Engine
- 5.1.00
- Description Added
- 02/03/2006
- Description Modified
- 02/04/2006 4:12 AM (PT)
Tab Navigation
Characteristics
This threat is proactively detected as W32/Bagle.gen with the 4659 DAT files, or newer.
W32/Bagle.do@MM is a trojan downloader and mailing worm that uses its own SMTP engine to send itself to the email addresses that it harvests on the infected computer. It also contains backdoor functionality which allows unauthorized remote access.
The trojan uses the icon of a text file and upon execution opens the application Notepad to trick the users into believing that a empty text document was opened.
It creates a copy of itself into the Windows system directory:
%Windir%\%SYSDIR%\sysformat.exe
Adds the following values to the registry to auto start itself when Windows starts.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"sysformat" = "%Windir%\%SYSDIR%\sysformat.exe"
Adds the following registry key as a flag that indicates that the system is infected.
HKEY_CURRENT_USER\Software\Microsoft\Params
"FirstRun" = "01"
Modifies the following registry key to disable the Firewall services of Windows Xp.
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
"Start" = "4"
Attempts to delete the following values from the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"My AV"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"My AV"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"ICQ Net"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"ICQ Net"
Attempts to end the following processes and prevent them from running when windows starts:
mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.EXE
blackd.exe
bawindo.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe
Overwrites the HOSTS file to prevent access to the following websites, most of which are antivirus and security related. The following is a list of redirected websites:
127.0.0.1 localhost
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fastclick.net
127.0.0.1 ads.fastclick.net
127.0.0.1 ar.atwola.com
127.0.0.1 atdmt.com
127.0.0.1 avp.ch
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 awaps.net
127.0.0.1 banner.fastclick.net
127.0.0.1 banners.fastclick.net
127.0.0.1 ca.com
127.0.0.1 click.atdmt.com
127.0.0.1 clicks.atdmt.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 engine.awaps.net
127.0.0.1 fastclick.net
127.0.0.1 f-secure.com
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 go.microsoft.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 media.fastclick.net
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 office.microsoft.com
127.0.0.1 phx.corporate-ir.net
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 spd.atdmt.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.ru
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.ch
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.ru
127.0.0.1 www3.ca.com
Attempts to download a file "q.jpg" from the following urls:
http://www.cnsrvr.com[Removed]/q.jpg
http://www.casinofunnights.com[Removed]/q.jpg
http://www.ec.cox-wacotrib.com[Removed]/q.jpg
http://www.crazyiron.ru[Removed]/q.jpg
http://www.uni-esma.de[Removed]/q.jpg
http://www.sorisem.net[Removed]/q.jpg
http://www.varc.lv[Removed]/q.jpg
http://www.belwue.de[Removed]/q.jpg
http://www.thetildegroup.com[Removed]/q.jpg
http://www.vybercz.cz[Removed]/q.jpg
http://www.kyno.cz[Removed]/q.jpg
http://www.forumgestionvilles.com[Removed]/q.jpg
http://www.campus-and-more.com[Removed]/q.jpg
http://www.capitalforex.com[Removed]/q.jpg
http://www.capitalspreadspromo.com[Removed]/q.jpg
http://www.prineus.de[Removed]/q.jpg
http://www.databoots.de[Removed]/q.jpg
http://www.steintrade.net[Removed]/q.jpg
http://www.njzt.net[Removed]/q.jpg
http://www.emarrynet.com[Removed]/q.jpg
http://www.zebrachina.net[Removed]/q.jpg
http://www.lxlight.com[Removed]/q.jpg
http://www.yili-lighting.com[Removed]/q.jpg
http://www.fachman.com[Removed]/q.jpg
http://www.q-serwer.net[Removed]/q.jpg
http://www.wellness-i.com[Removed]/q.jpg
http://www.newportsystemsusa.com[Removed]/q.jpg
http://www.westcoastcadd.com[Removed]/q.jpg
http://www.wing49.cz[Removed]/q.jpg
http://www.posteffects.com[Removed]/q.jpg
http://www.provax.sk[Removed]/q.jpg
http://www.casinobrillen.de[Removed]/q.jpg
http://www.duodaydream.nl[Removed]/q.jpg
http://www.finlaw.ru[Removed]/q.jpg
http://www.fitdina.com[Removed]/q.jpg
http://www.flashcardplayer.com[Removed]/q.jpg
http://www.flox-avant.ru[Removed]/q.jpg
http://www.lotslink.com[Removed]/q.jpg
http://www.algor.com[Removed]/q.jpg
http://www.gaspekas.com[Removed]/q.jpg
http://www.ezybidz.com[Removed]/q.jpg
http://www.genesisfinancialonline.com[Removed]/q.jpg
http://www.georg-kuenzle.ch[Removed]/q.jpg
http://www.girardelli.com[Removed]/q.jpg
http://www.rodoslovia.ru[Removed]/q.jpg
http://www.golden-gross.ru[Removed]/q.jpg
http://www.gregoryolson.com[Removed]/q.jpg
http://www.gtechna.com[Removed]/q.jpg
http://www.lunardi.com[Removed]/q.jpg
http://www.sgmisburg.de[Removed]/q.jpg
http://www.harmony-farms.net[Removed]/q.jpg
http://www.hftmusic.com[Removed]/q.jpg
http://www.hiwmreport.com[Removed]/q.jpg
http://www.horizonimagingllc.com[Removed]/q.jpg
http://www.hotelbus.de[Removed]/q.jpg
http://www.howiwinmoney.com[Removed]/q.jpg
http://www.ietcn.com[Removed]/q.jpg
http://www.import-world.com[Removed]/q.jpg
http://www.houstonzoo.org[Removed]/q.jpg
http://www.interorient.ru[Removed]/q.jpg
http://www.internalcardreaders.com[Removed]/q.jpg
http://www.interstrom.ru[Removed]/q.jpg
http://www.iutoledo.org[Removed]/q.jpg
http://www.wena.net[Removed]/q.jpg
http://www.iesgrantarajal.org[Removed]/q.jpg
http://www.alexandriaradiology.com[Removed]/q.jpg
http://www.booksbyhunter.com[Removed]/q.jpg
http://www.wxcsxy.com[Removed]/q.jpg
http://www.coupdepinceau.com[Removed]/q.jpg
http://www.erotologist.com[Removed]/q.jpg
http://www.jackstitt.com[Removed]/q.jpg
http://www.imspress.com[Removed]/q.jpg
http://www.digitalefoto.net[Removed]/q.jpg
http://www.josemarimuro.com[Removed]/q.jpg
http://www.eversetic.com[Removed]/q.jpg
http://www.curious.be[Removed]/q.jpg
http://www.kameo-bijux.ru[Removed]/q.jpg
http://www.karrad6000.ru[Removed]/q.jpg
http://www.kaztransformator.kz[Removed]/q.jpg
http://www.keywordthief.com[Removed]/q.jpg
NOTE: At the time of writing this description, AVERT did not see the downloading of any files as they may have been moved or deleted at the remote site.
Symptoms
Propagation via Mail:
The following files types are read by the worm in order to harvest email addresses from an infected system.
.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp
Mailbody:
Constructs an email message with the following characteristics:
From: [SPOOFED]
Subject and Message body:
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help
Attachment:
wsd01.zip
viupd02.zip
siupd02.zip
guupd02.zip
zupd02.zip
upd02.zip
Jol03.zip
The .ZIP attachment contains a copy of this worm and a garbage text file.
The worm does not send itself to addresses which contain any of the following strings:
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
@avp.
noreply
local
root@
postmaster@
Propagation via Peer-to-Peer Networks:
This worm also propagates by dropping a copy of itself in folders that contain the string "shar" in their names. It uses the following file names for its dropped copy:
1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
This worm also creates the following mutexes to prevent NETSKY variants from executing:
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
Method of Infection
W32/Bagle.do@MM was mass spammed on February 02, 2006.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- W32.Beagle.DM@mm (Symantec)
- W32/Bagle.GR.worm (Panda)
- Win32/Bagle.EZ (ESET)
Characteristics
Characteristics -
This threat is proactively detected as W32/Bagle.gen with the 4659 DAT files, or newer.
W32/Bagle.do@MM is a trojan downloader and mailing worm that uses its own SMTP engine to send itself to the email addresses that it harvests on the infected computer. It also contains backdoor functionality which allows unauthorized remote access.
The trojan uses the icon of a text file and upon execution opens the application Notepad to trick the users into believing that a empty text document was opened.
It creates a copy of itself into the Windows system directory:
%Windir%\%SYSDIR%\sysformat.exe
Adds the following values to the registry to auto start itself when Windows starts.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"sysformat" = "%Windir%\%SYSDIR%\sysformat.exe"
Adds the following registry key as a flag that indicates that the system is infected.
HKEY_CURRENT_USER\Software\Microsoft\Params
"FirstRun" = "01"
Modifies the following registry key to disable the Firewall services of Windows Xp.
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
"Start" = "4"
Attempts to delete the following values from the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"My AV"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"My AV"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"ICQ Net"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"ICQ Net"
Attempts to end the following processes and prevent them from running when windows starts:
mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.EXE
blackd.exe
bawindo.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe
Overwrites the HOSTS file to prevent access to the following websites, most of which are antivirus and security related. The following is a list of redirected websites:
127.0.0.1 localhost
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fastclick.net
127.0.0.1 ads.fastclick.net
127.0.0.1 ar.atwola.com
127.0.0.1 atdmt.com
127.0.0.1 avp.ch
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 awaps.net
127.0.0.1 banner.fastclick.net
127.0.0.1 banners.fastclick.net
127.0.0.1 ca.com
127.0.0.1 click.atdmt.com
127.0.0.1 clicks.atdmt.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 engine.awaps.net
127.0.0.1 fastclick.net
127.0.0.1 f-secure.com
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 go.microsoft.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 media.fastclick.net
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 office.microsoft.com
127.0.0.1 phx.corporate-ir.net
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 spd.atdmt.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.ru
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.ch
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.ru
127.0.0.1 www3.ca.com
Attempts to download a file "q.jpg" from the following urls:
http://www.cnsrvr.com[Removed]/q.jpg
http://www.casinofunnights.com[Removed]/q.jpg
http://www.ec.cox-wacotrib.com[Removed]/q.jpg
http://www.crazyiron.ru[Removed]/q.jpg
http://www.uni-esma.de[Removed]/q.jpg
http://www.sorisem.net[Removed]/q.jpg
http://www.varc.lv[Removed]/q.jpg
http://www.belwue.de[Removed]/q.jpg
http://www.thetildegroup.com[Removed]/q.jpg
http://www.vybercz.cz[Removed]/q.jpg
http://www.kyno.cz[Removed]/q.jpg
http://www.forumgestionvilles.com[Removed]/q.jpg
http://www.campus-and-more.com[Removed]/q.jpg
http://www.capitalforex.com[Removed]/q.jpg
http://www.capitalspreadspromo.com[Removed]/q.jpg
http://www.prineus.de[Removed]/q.jpg
http://www.databoots.de[Removed]/q.jpg
http://www.steintrade.net[Removed]/q.jpg
http://www.njzt.net[Removed]/q.jpg
http://www.emarrynet.com[Removed]/q.jpg
http://www.zebrachina.net[Removed]/q.jpg
http://www.lxlight.com[Removed]/q.jpg
http://www.yili-lighting.com[Removed]/q.jpg
http://www.fachman.com[Removed]/q.jpg
http://www.q-serwer.net[Removed]/q.jpg
http://www.wellness-i.com[Removed]/q.jpg
http://www.newportsystemsusa.com[Removed]/q.jpg
http://www.westcoastcadd.com[Removed]/q.jpg
http://www.wing49.cz[Removed]/q.jpg
http://www.posteffects.com[Removed]/q.jpg
http://www.provax.sk[Removed]/q.jpg
http://www.casinobrillen.de[Removed]/q.jpg
http://www.duodaydream.nl[Removed]/q.jpg
http://www.finlaw.ru[Removed]/q.jpg
http://www.fitdina.com[Removed]/q.jpg
http://www.flashcardplayer.com[Removed]/q.jpg
http://www.flox-avant.ru[Removed]/q.jpg
http://www.lotslink.com[Removed]/q.jpg
http://www.algor.com[Removed]/q.jpg
http://www.gaspekas.com[Removed]/q.jpg
http://www.ezybidz.com[Removed]/q.jpg
http://www.genesisfinancialonline.com[Removed]/q.jpg
http://www.georg-kuenzle.ch[Removed]/q.jpg
http://www.girardelli.com[Removed]/q.jpg
http://www.rodoslovia.ru[Removed]/q.jpg
http://www.golden-gross.ru[Removed]/q.jpg
http://www.gregoryolson.com[Removed]/q.jpg
http://www.gtechna.com[Removed]/q.jpg
http://www.lunardi.com[Removed]/q.jpg
http://www.sgmisburg.de[Removed]/q.jpg
http://www.harmony-farms.net[Removed]/q.jpg
http://www.hftmusic.com[Removed]/q.jpg
http://www.hiwmreport.com[Removed]/q.jpg
http://www.horizonimagingllc.com[Removed]/q.jpg
http://www.hotelbus.de[Removed]/q.jpg
http://www.howiwinmoney.com[Removed]/q.jpg
http://www.ietcn.com[Removed]/q.jpg
http://www.import-world.com[Removed]/q.jpg
http://www.houstonzoo.org[Removed]/q.jpg
http://www.interorient.ru[Removed]/q.jpg
http://www.internalcardreaders.com[Removed]/q.jpg
http://www.interstrom.ru[Removed]/q.jpg
http://www.iutoledo.org[Removed]/q.jpg
http://www.wena.net[Removed]/q.jpg
http://www.iesgrantarajal.org[Removed]/q.jpg
http://www.alexandriaradiology.com[Removed]/q.jpg
http://www.booksbyhunter.com[Removed]/q.jpg
http://www.wxcsxy.com[Removed]/q.jpg
http://www.coupdepinceau.com[Removed]/q.jpg
http://www.erotologist.com[Removed]/q.jpg
http://www.jackstitt.com[Removed]/q.jpg
http://www.imspress.com[Removed]/q.jpg
http://www.digitalefoto.net[Removed]/q.jpg
http://www.josemarimuro.com[Removed]/q.jpg
http://www.eversetic.com[Removed]/q.jpg
http://www.curious.be[Removed]/q.jpg
http://www.kameo-bijux.ru[Removed]/q.jpg
http://www.karrad6000.ru[Removed]/q.jpg
http://www.kaztransformator.kz[Removed]/q.jpg
http://www.keywordthief.com[Removed]/q.jpg
NOTE: At the time of writing this description, AVERT did not see the downloading of any files as they may have been moved or deleted at the remote site.
Symptoms
Symptoms -
Propagation via Mail:
The following files types are read by the worm in order to harvest email addresses from an infected system.
.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp
Mailbody:
Constructs an email message with the following characteristics:
From: [SPOOFED]
Subject and Message body:
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help
Attachment:
wsd01.zip
viupd02.zip
siupd02.zip
guupd02.zip
zupd02.zip
upd02.zip
Jol03.zip
The .ZIP attachment contains a copy of this worm and a garbage text file.
The worm does not send itself to addresses which contain any of the following strings:
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
@avp.
noreply
local
root@
postmaster@
Propagation via Peer-to-Peer Networks:
This worm also propagates by dropping a copy of itself in folders that contain the string "shar" in their names. It uses the following file names for its dropped copy:
1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
This worm also creates the following mutexes to prevent NETSKY variants from executing:
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
Method of Infection
Method of Infection -
W32/Bagle.do@MM was mass spammed on February 02, 2006.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
