W32/Bagle.fb@MM

Content

W32/Bagle.fb@MM

Type: Virus
SubType: E-mail worm
Discovery Date: 06/20/2006
Length: Varies
Minimum DAT: 4789 (06/20/2006)
Updated DAT: 5301 (05/22/2008)
Minimum Engine: 5.1.00
Description Added: 06/20/2006
Description Modified: 06/21/2006 9:16 AM (PT)

Risk Assessment

Corporate User: Low-Profiled
Home User: Low-Profiled

Tab Navigation

Characteristics

- Update 6/20/2006 -
This Bagle variant has been discovered in packed and never-packed forms today. The never-packed version is proactively detected as W32/Bagle.dldr

This is a mass-mailing worm with the following characteristics:

contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
attachment is a password-protected zip file, with the password included in the message body.
disables security applications
drops a rootkit

Mail Propagation

The details are as follows:

From : (address is spoofed)
Subject :

Ales
Alice
Alyce
Alyce
Andrew
Androw
Androwe
Ann
Anna
Anna
Anne
Annes
Anthonie
Anthonie
Anthony
Anthonye
Avice
Avis
Bennet
Bennett
Christean
Christian
Constance
Cybil
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edward
Edwarde
Elizabeth
Elizabethe
Ellen
Ellyn
Emanual
Emanuell
Ester
Frances
Francis
Fraunces
Gabriell
Geoffraie
George
Grace
Harry
Harrye
Henrie
Henry
Henrye
Hughe
Humphrey
Humphrie
I love you
Isabel
Isabell
James
Jane
Jeames
Jeffrey
Jeffrye
Joane
Johen
John
Josias
Judeth
Judith
Judithe
Katherine
Katheryne
Leonard
Leonarde
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Marie
Martha
Mary
Marye
Michael
Mychaell
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholaus
Nycholas
Peter
Ralph
Rebecka
Richard
Richarde
Robert
Robert
Roberte
Roger
Rose
Rycharde
Samuell
Sara
Sidney
Sindony
Stephen
Susan
Susanna
Suzanna
Sybyll
Syndony
Thomas
To the beloved
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede

Body Text:

The password is
Password --
Use password
Password is
Zip password:
archive password:
Password -
Password:

These are all followed by the image from the included GIF file.

It may also include one of the following two additional phrases, before the password:

To the beloved
I love you

Attachment: (will contain a randomly named EXE and GIF file)

Ales.zip
Alice.zip
Alyce.zip
Andrew.zip
Androw.zip
Androwe.zip
Ann.zip
Anna.zip
Anne.zip
Annes.zip
Anthonie.zip
Anthony.zip
Anthonye.zip
Avice.zip
Avis.zip
Avis.zip
Bennet.zip
Bennett.zip
Christean.zip
Christian.zip
Constance.zip
Cybil.zip
Daniel.zip
Danyell.zip
Dorithie.zip
Dorothee.zip
Dorothy.zip
Edmond.zip
Edmonde.zip
Edmund.zip
Edward.zip
Edwarde.zip
Elizabeth.zip
Elizabethe.zip
Ellen.zip
Ellyn.zip
Emanual.zip
Emanuel.zip
Emanuell.zip
Ester.zip
Frances.zip
Francis.zip
Fraunces.zip
Gabriell.zip
Geoffraie.zip
George.zip
Grace.zip
Harry.zip
Harrye.zip
Henrie.zip
Henry.zip
Henrye.zip
Hughe.zip
Humphrey.zip
Humphrie.zip
Isabel.zip
Isabell.zip
James.zip
Jane.zip
Jeames.zip
Jeffrey.zip
Jeffrye.zip
Joane.zip
Johen.zip
John.zip
Josias.zip
Judeth.zip
Judith.zip
Judithe.zip
Katherine.zip
Katheryne.zip
Leonard.zip
Leonarde.zip
Margaret.zip
Margarett.zip
Margerie.zip
Margerye.zip
Margret.zip
Margrett.zip
Marie.zip
Martha.zip
Mary.zip
Marye.zip
Michael.zip
Mychaell.zip
Nathaniel.zip
Nathaniell.zip
Nathanyell.zip
Nicholas.zip
Nicholaus.zip
Nycholas.zip
Peter.zip
Ralph.zip
Rebecka.zip
Richard.zip
Richarde.zip
Robert.zip
Roberte.zip
Roger.zip
Rose.zip
Rycharde.zip
Samuell.zip
Sara.zip
Sidney.zip
Sindony.zip
Stephen.zip
Susan.zip
Susanna.zip
Suzanna.zip
Sybell.zip
Sybyll.zip
Syndony.zip
Thomas.zip
Valentyne.zip
William.zip
Winifred.zip
Wynefrede.zip
Wynefreed.zip
Wynnefreede.zip

The virus copies itself as HIDN.EXE to the following directory:

C:\Documents and Settings\%User%\Application Data\hidn\hidn.exe

It also creates a rootkit to hide directories (and all files within them) which contain the word shared:

C:\Documents and Settings\%User%\Application Data\hidn\m_hook.sys ( 15360 bytes )

It also creates a copy of its ZIP file locally, and a fake error message:

C:\temp.zip
C:\error.gif

The error message appears as follows

A registry key is created to run itself again upon system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Run "drv_st_key" = C:\Documents and Settings\%User%\Application Data\hidn\hidn.exe

Additionally, the following Registry keys are added:

HKEY_CURRENT_USER\Software\firstruxzx\firstrun="1"

It deletes the following registry entry, to disable Safe Boot:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot

This worm attempts to terminate services of security programs with the the following filenames:

wuauserv
Aavmker4
ABVPN2K
ADBLOCK.DLL
ADFirewall
AFWMCL
Ahnlab task Scheduler
alerter
AlertManger
AntiVir Service
AntiyFirewall
ARP.DLL
aswMon2
aswRdr
aswTdi
aswUpdSv
Ati HotKey Poller
avast! Antivirus
avast! Mail Scanner
avast! Web Scanner
AVEService
AVExch32Service
AvFlt
Avg7Alrt
Avg7Core
Avg7RsW
Avg7RsXP
Avg7UpdSvc
AvgCore
AvgFsh
AVGFwSrv
AvgFwSvr
AvgServ
AvgTdi
AVIRAMailService
AVIRAService
avpcc
AVUPDService
AVWUpSrv
AvxIni
awhost32
backweb client - 4476822
BackWeb Client - 7681197
backweb client-4476822
Bdfndisf
bdftdif
bdss
BlackICE
BsFileSpy
BsFirewall
BsMailProxy
CAISafe
ccEvtMgr
ccPwdSvc
ccSetMgr
ccSetMgr.exe
CONTENT.DLL
DefWatch
DNSCACHE.DLL
drwebnet
dvpapi
dvpinit
ewido security suite control
ewido security suite driver
ewido security suite guard
F-Prot Antivirus Update Monitor
F-Secure Gatekeeper Handler Starter
firewall
fsbwsys
FSDFWD
FSFW
FSMA
FTPFILT.DLL
FwcAgent
fwdrv
Guard NT
HSnSFW
HSnSPro
HTMLFILT.DLL
HTTPFILT.DLL
IMAPFILT.DLL
InoRPC
InoRT
InoTask
Ip6Fw
Ip6FwHlp
KAVMonitorService
KAVSvc
KLBLMain
KPfwSvc
KWatch3
KWatchSvc
MAILFILT.DLL
McAfee Firewall
McAfeeFramework
McShield
McTaskManager
mcupdmgr.exe
MCVSRte
Microsoft NetWork FireWall Services
MonSvcNT
MpfService
navapsvc
Ndisuio
NDIS_RD
Network Associates Log Service
nipsvc
NISSERV
NISUM
NNTPFILT.DLL
NOD32ControlCenter
NOD32krn
NOD32Service
Norman NJeeves
Norman Type-R
Norman ZANDA
Norton AntiVirus Server
NPDriver
NPFMntor
NProtectService
NSCTOP
nvcoas
NVCScheduler
nwclntc
nwclntd
nwclnte
nwclntf
nwclntg
nwclnth
NWService
OfcPfwSvc
Outbreak Manager
Outpost Firewall
OutpostFirewall
PASSRV
PAVAGENTE
PavAtScheduler
PAVDRV
PAVFIRES
PAVFNSVR
Pavkre
PavProc
PavProt
PavPrSrv
PavReport
PAVSRV
PCCPFW
PCC_PFW
PersFW
Personal Firewall
POP3FILT.DLL
PREVSRV
PROTECT.DLL
PSIMSVC
qhwscsvc
wscsvc
Quick Heal Online Protection
ravmon8
RfwService
SAVFMSE
SAVScan
SBService
schscnt
SECRET.DLL
SharedAccess
SmcService
SNDSrvc
SPBBCSvc
SpiderNT
SweepNet
SWEEPSRV.SYS
Symantec AntiVirus Client
Symantec Core LC
The_Hacker_Antivirus
Tmntsrv
TmPfw
tmproxy
tmtdi
tm_cfw
T_H_S_M
V3MonNT
V3MonSvc
Vba32ECM
Vba32ifs
Vba32Ldr
Vba32PP3
VBCompManService
VexiraAntivirus
VFILT
VisNetic AntiVirus Plug-in
vrfwsvc
vsmon
VSSERV
WinAntivirus
WinRoute
wuauserv
xcomm

The worm uses the following list to stop running processes:

a2guard.exe
aavshield.exe
AckWin32.exe
ADVCHK.EXE
AhnSD.exe
airdefense.exe
ALERTSVC.EXE
ALMon.exe
ALOGSERV.EXE
ALsvc.exe
amon.exe
Anti-Trojan.exe
AntiVirScheduler
AntiVirService
ANTS.EXE
APVXDWIN.EXE
Armor2net.exe
ashAvast.exe
ashDisp.exe
ashEnhcd.exe
ashMaiSv.exe
ashPopWz.exe
ashServ.exe
ashSimpl.exe
ashSkPck.exe
ashWebSv.exe
aswUpdSv.exe
ATCON.EXE
ATUPDATER.EXE
ATWATCH.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
avciman.exe
Avconsol.exe
AVENGINE.EXE
avgamsvr.exe
avgcc.exe
AVGCC32.EXE
AVGCTRL.EXE
avgemc.exe
avgfwsrv.exe
AVGNT.EXE
avgntdd
avgntmgr
AVGSERV.EXE
AVGUARD.EXE
avgupsvc.exe
avinitnt.exe
AvkServ.exe
AVKService.exe
AVKWCtl.exe
AVP.EXE
AVP32.EXE
avpcc.exe
avpm.exe
AVPUPD.EXE
AVSCHED32.EXE
avsynmgr.exe
AVWUPD32.EXE
AVWUPSRV.EXE
AVXMONITOR9X.EXE
AVXMONITORNT.EXE
AVXQUAR.EXE
BackWeb-4476822.exe
bdmcon.exe
bdnews.exe
bdoesrv.exe
bdss.exe
bdsubmit.exe
bdswitch.exe
blackd.exe
blackice.exe
cafix.exe
ccApp.exe
ccEvtMgr.exe
ccProxy.exe
ccSetMgr.exe
CFIAUDIT.EXE
ClamTray.exe
ClamWin.exe
Claw95.exe
Claw95cf.exe
cleaner.exe
cleaner3.exe
CliSvc.exe
CMGrdian.exe
cpd.exe
DefWatch.exe
DOORS.EXE
DrVirus.exe
drwadins.exe
drweb32w.exe
drwebscd.exe
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
ewidoctrl.exe
EzAntivirusRegistrationCheck.exe
F-AGNT95.EXE
F-PROT95.EXE
F-Sched.exe
F-StopW.EXE
FAMEH32.EXE
FAST.EXE
FCH32.EXE
FireSvc.exe
FireTray.exe
FIREWALL.EXE
fpavupdm.exe
freshclam.exe
FRW.EXE
fsav32.exe
fsavgui.exe
fsbwsys.exe
fsdfwd.exe
FSGK32.EXE
fsgk32st.exe
fsguiexe.exe
FSM32.EXE
FSMA32.EXE
FSMB32.EXE
fspex.exe
fssm32.exe
gcasDtServ.exe
gcasServ.exe
GIANTAntiSpywareMain.exe
GIANTAntiSpywareUpdater.exe
GUARD.EXE
GUARDGUI.EXE
GuardNT.exe
HRegMon.exe
Hrres.exe
HSockPE.exe
HUpdate.EXE
iamapp.exe
iamserv.exe
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
INETUPD.EXE
InocIT.exe
InoRpc.exe
InoRT.exe
InoTask.exe
InoUpTNG.exe
IOMON98.EXE
isafe.exe
ISATRAY.EXE
ISRV95.EXE
ISSVC.exe
JEDI.EXE
KAV.exe
kavmm.exe
KAVPF.exe
KavPFW.exe
KAVStart.exe
KAVSvc.exe
KAVSvcUI.EXE
KMailMon.EXE
KPfwSvc.EXE
KWatch.EXE
livesrv.exe
LOCKDOWN2000.EXE
LogWatNT.exe
lpfw.exe
LUALL.EXE
LUCOMSERVER.EXE
Luupdate.exe
MCAGENT.EXE
mcmnhdlr.exe
mcregwiz.exe
Mcshield.exe
MCUPDATE.EXE
mcvsshld.exe
MINILOG.EXE
MONITOR.EXE
MonSysNT.exe
MOOLIVE.EXE
MpEng.exe
mpssvc.exe
MSMPSVC.exe
myAgtSvc.exe
myagttry.exe
navapsvc.exe
NAVAPW32.EXE
NavLu32.exe
NAVW32.EXE
NDD32.EXE
NeoWatchLog.exe
NeoWatchTray.exe
NISSERV
NISUM.EXE
NMAIN.EXE
nod32.exe
nod32krn.exe
nod32kui.exe
NORMIST.EXE
notstart.exe
npavtray.exe
NPFMNTOR.EXE
npfmsg.exe
NPROTECT.EXE
NSCHED32.EXE
NSMdtr.exe
NssServ.exe
NssTray.exe
ntrtscan.exe
NTXconfig.exe
NUPGRADE.EXE
NVC95.EXE
Nvcod.exe
Nvcte.exe
Nvcut.exe
NWService.exe
OfcPfwSvc.exe
OUTPOST.EXE
PAV.EXE
PavFires.exe
PavFnSvr.exe
Pavkre.exe
PavProt.exe
pavProxy.exe
pavprsrv.exe
pavsrv51.exe
PAVSS.EXE
pccguide.exe
PCCIOMON.EXE
pccntmon.exe
PCCPFW.exe
PcCtlCom.exe
PCTAV.exe
PERSFW.EXE
pertsk.exe
PERVAC.EXE
PNMSRV.EXE
POP3TRAP.EXE
POPROXY.EXE
prevsrv.exe
PsImSvc.exe
QHM32.EXE
QHONLINE.EXE
QHONSVC.EXE
QHPF.EXE
qhwscsvc.exe
RavMon.exe
RavTimer.exe
Realmon.exe
REALMON95.EXE
Rescue.exe
rfwmain.exe
Rtvscan.exe
RTVSCN95.EXE
RuLaunch.exe
SAVAdminService.exe
SAVMain.exe
savprogress.exe
SAVScan.exe
SCAN32.EXE
ScanningProcess.exe
sched.exe
sdhelp.exe
SERVIC~1.EXE
SHSTAT.EXE
SiteCli.exe
smc.exe
SNDSrvc.exe
SPBBCSvc.exe
SPHINX.EXE
spiderml.exe
spidernt.exe
Spiderui.exe
SpybotSD.exe
SPYXX.EXE
SS3EDIT.EXE
stopsignav.exe
swAgent.exe
swdoctor.exe
SWNETSUP.EXE
symlcsvc.exe
SymProxySvc.exe
SymSPort.exe
SymWSC.exe
SYNMGR.EXE
TAUMON.EXE
TBMon.exe
TC.EXE
tca.exe
TCM.EXE
TDS-3.EXE
TeaTimer.exe
TFAK.EXE
THAV.EXE
THSM.EXE
Tmas.exe
tmlisten.exe
Tmntsrv.exe
TmPfw.exe
tmproxy.exe
TNBUtil.exe
TRJSCAN.EXE
Up2Date.exe
UPDATE.EXE
UpdaterUI.exe
upgrepl.exe
Vba32ECM.exe
Vba32ifs.exe
vba32ldr.exe
Vba32PP3.exe
VBSNTW.exe
vchk.exe
vcrmon.exe
VetTray.exe
VirusKeeper.exe
VPTRAY.EXE
vrfwsvc.exe
VRMONNT.EXE
vrmonsvc.exe
vrrw32.exe
VSECOMR.EXE
Vshwin32.exe
vsmon.exe
vsserv.exe
VsStat.exe
WATCHDOG.EXE
WebProxy.exe
Webscanx.exe
WEBTRAP.EXE
WGFE95.EXE
Winaw32.exe
winroute.exe
winss.exe
winssnotify.exe
WRADMIN.EXE
WRCTRL.EXE
xcommsvr.exe
zatutor.exe
ZAUINST.EXE
zlclient.exe
zonealarm.exe
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE

It also prevents the following list of files from running:

filtnt.sys
guardnt.sys
zonealarm.exe
zlclient.exe
zatutor.exe
VsStat.exe
Vshwin32.exe
Vba32PP3.exe
vba32ldr.exe
Vba32ifs.exe
Vba32ECM.exe
upgrepl.exe
Up2Date.exe
tmproxy.exe
TmPfw.exe
Tmntsrv.exe
symlcsvc.exe
spiderml.exe
SPBBCSvc.exe
SNDSrvc.exe
RuLaunch.exe
regedt32.exe
regedit.exe
Realmon.exe
QHPF.EXE
PcCtlCom.exe
pccguide.exe
outpost.exe
Nvcut.exe
Nvcte.exe
Nvcod.exe
npfmsg.exe
NPFMNTOR.EXE
nod32kui.exe
nod32.exe
NAVAPSVC.EXE
Mcshield.exe
Luupdate.exe
LUALL.EXE
KAVPF.exe
kavmm.exe
KAV.exe
isafe.exe
InoUpTNG.exe
InocIT.exe
INETUPD.EXE
GuardNT.exe
GUARDGUI.EXE
freshclam.exe
drwebupw.exe
drwebscd.exe
drweb32w.exe
drwadins.exe
CMGrdian.exe
ClamWin.exe
ClamTray.exe
CCSETMGR.EXE
CCEVTMGR.EXE
ccApp.exe
cafix.exe
bdswitch.exe
bdsubmit.exe
bdnews.exe
bdmcon.exe
AVWUPD32.EXE
Avsynmgr.exe
AVSCHED32.EXE
AVGNT.EXE
avgemc.exe
avgcc.exe
Avconsol.exe
AUPDATE.EXE
ashWebSv.exe
ashSkPck.exe
ashSimpl.exe
ashPopWz.exe
ashEnhcd.exe
ashDisp.exe
ashAvast.exe
kavsvc.exe
bdmcon.exe
vsserv.exe
bdnews.exe
livesrv.exe
mcupdate.exe
frameworkservice.exe
upgrader.exe
apvxdwin.exe
LuComServer_2_5.EXE
lucomserver_2_6.exe
drwebupw.exe
nod32krn.exe

Symptoms

Outgoing messages matching the described characteristics

Files/Registry keys as described

Method of Infection

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

Email Adress Harvesting Component

Email addresses harvested from infected machines are uploaded to a page at the following sites.

http://www.titanmotors.com/images/1/
http://veranmaisala.com/1/
http://wklight.nazwa.pl/1/
http://yongsan24.co.kr/1/
http://accesible.cl/1/
http://hotelesalba.com/1/
http://amdlady.com/1/
http://inca.dnetsolution.net/1/
http://www.auraura.com/1/
http://avataresgratis.com/1/
http://beyoglu.com.tr/1/
http://brandshock.com/1/
http://www.buydigital.co.kr/1/
http://camaramafra.sc.gov.br/1/
http://camposequipamentos.com.br/1/
http://cbradio.sos.pl/1/
http://c-d-c.com.au/1/
http://www.klanpl.com/1/
http://coparefrescos.stantonstreetgroup.com/1/
http://creainspire.com/1/
http://desenjoi.com.br/1/
http://www.inprofile.gr/1/
http://www.diem.cl/1/
http://www.discotecapuzzle.com/1/

It also tries to download a file from the following list of sites:

http://ujscie.one.pl/
http://1point2.iae.nl/
http://appaloosa.no/
http://apromed.com/
http://arborfolia.com/
http://pawlacz.com/
http://areal-realt.ru/
http://bitel.ru/
http://yetii.no-ip.com/
http://art4u1.superhost.pl/
http://www.artbed.pl/
http://art-bizar.foxnet.pl/
http://www.jonogueira.com/
http://asdesign.cz/
http://ftp-dom.earthlink.net/
http://www.aureaorodeley.com/
http://www.autoekb.ru/
http://www.autovorota.ru/
http://avenue.ee/
http://www.avinpharma.ru/
http://ouarzazateservices.com/
http://stats-adf.altadis.com/
http://bartex-cit.com.pl/
http://bazarbekr.sk/
http://gnu.univ.gda.pl/
http://bid-usa.com/
http://biliskov.com/
http://biomedpel.cz/
http://blackbull.cz/
http://bohuminsko.cz/
http://bonsai-world.com.au/
http://bpsbillboards.com/
http://cadinformatics.com/
http://canecaecia.com/
http://www.castnetnultimedia.com/
http://compucel.com/
http://continentalcarbonindia.com/
http://ceramax.co.kr/
http://prime.gushi.org/
http://www.chapisteriadaniel.com/
http://charlesspaans.com/
http://chatsk.wz.cz/
http://www.chittychat.com/
http://checkalertusa.com/
http://cibernegocios.com.ar/
http://5050clothing.com/
http://cof666.shockonline.net/
http://comaxtechnologies.net/
http://concellodesandias.com/
http://www.cort.ru/
http://donchef.com/
http://www.crfj.com/
http://kremz.ru/
http://dev.jintek.com/
http://foxvcoin.com/
http://uwua132.org/
http://v-v-kopretiny.ic.cz/
http://erich-kaestner-schule-donaueschingen.de/
http://vanvakfi.com/
http://axelero.hu/
http://kisalfold.com/
http://vega-sps.com/
http://vidus.ru/
http://viralstrategies.com/
http://svatba.viskot.cz/
http://Vivamodelhobby.com/
http://vkinfotech.com/
http://vytukas.com/
http://waisenhaus-kenya.ch/
http://watsrisuphan.org/
http://www.ag.ohio-state.edu/
http://wbecanada.com/
http://calamarco.com/
http://vproinc.com/
http://grupdogus.de/
http://knickimbit.de/
http://dogoodesign.ch/
http://systemforex.de/
http://zebrachina.net/
http://www.walsch.de/
http://hotchillishop.de/
http://innovation.ojom.net/
http://massgroup.de/
http://web-comp.hu/
http://webfull.com/
http://welvo.com/
http://www.ag.ohio-state.edu/
http://poliklinika-vajnorska.sk/
http://wvpilots.org/
http://www.kersten.de/
http://www.kljbwadersloh.de/
http://www.voov.de/
http://www.wchat.cz/
http://www.wg-aufbau-bautzen.de/
http://www.wzhuate.com/
http://zsnabreznaknm.sk/
http://xotravel.ru/
http://ilikesimple.com/
http://yeniguntugla.com/

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

-- Update June 21, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1195282,00.html

This is a mass-mailing virus that spreads in a password protected zip file. Along with the ZIP file, an image containing the password for the ZIP is also attached to infectious messages. Users must take that password and use it to open the ZIP file and then manually execute the .EXE file within. That EXE file is proactively detected as New Malware.b with released DAT files. The same virus variant exists in packed form. That package is proactively detected as W32/Bagle.dldr with released DAT files.

Aliases

Email-Worm.Win32.Bagle.fy (Kaspersky)

W32.Beagle.FF@mm (Symantec)

W32/Bagle-KL (Sophos)

WORM_BAGLE.FN (Trend)

Characteristics

Characteristics -

- Update 6/20/2006 -
This Bagle variant has been discovered in packed and never-packed forms today. The never-packed version is proactively detected as W32/Bagle.dldr

This is a mass-mailing worm with the following characteristics:

contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
attachment is a password-protected zip file, with the password included in the message body.
disables security applications
drops a rootkit

Mail Propagation

The details are as follows:

From : (address is spoofed)
Subject :

Ales
Alice
Alyce
Alyce
Andrew
Androw
Androwe
Ann
Anna
Anna
Anne
Annes
Anthonie
Anthonie
Anthony
Anthonye
Avice
Avis
Bennet
Bennett
Christean
Christian
Constance
Cybil
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edward
Edwarde
Elizabeth
Elizabethe
Ellen
Ellyn
Emanual
Emanuell
Ester
Frances
Francis
Fraunces
Gabriell
Geoffraie
George
Grace
Harry
Harrye
Henrie
Henry
Henrye
Hughe
Humphrey
Humphrie
I love you
Isabel
Isabell
James
Jane
Jeames
Jeffrey
Jeffrye
Joane
Johen
John
Josias
Judeth
Judith
Judithe
Katherine
Katheryne
Leonard
Leonarde
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Marie
Martha
Mary
Marye
Michael
Mychaell
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholaus
Nycholas
Peter
Ralph
Rebecka
Richard
Richarde
Robert
Robert
Roberte
Roger
Rose
Rycharde
Samuell
Sara
Sidney
Sindony
Stephen
Susan
Susanna
Suzanna
Sybyll
Syndony
Thomas
To the beloved
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede

Body Text:

The password is
Password --
Use password
Password is
Zip password:
archive password:
Password -
Password:

These are all followed by the image from the included GIF file.

It may also include one of the following two additional phrases, before the password:

To the beloved
I love you

Attachment: (will contain a randomly named EXE and GIF file)

Ales.zip
Alice.zip
Alyce.zip
Andrew.zip
Androw.zip
Androwe.zip
Ann.zip
Anna.zip
Anne.zip
Annes.zip
Anthonie.zip
Anthony.zip
Anthonye.zip
Avice.zip
Avis.zip
Avis.zip
Bennet.zip
Bennett.zip
Christean.zip
Christian.zip
Constance.zip
Cybil.zip
Daniel.zip
Danyell.zip
Dorithie.zip
Dorothee.zip
Dorothy.zip
Edmond.zip
Edmonde.zip
Edmund.zip
Edward.zip
Edwarde.zip
Elizabeth.zip
Elizabethe.zip
Ellen.zip
Ellyn.zip
Emanual.zip
Emanuel.zip
Emanuell.zip
Ester.zip
Frances.zip
Francis.zip
Fraunces.zip
Gabriell.zip
Geoffraie.zip
George.zip
Grace.zip
Harry.zip
Harrye.zip
Henrie.zip
Henry.zip
Henrye.zip
Hughe.zip
Humphrey.zip
Humphrie.zip
Isabel.zip
Isabell.zip
James.zip
Jane.zip
Jeames.zip
Jeffrey.zip
Jeffrye.zip
Joane.zip
Johen.zip
John.zip
Josias.zip
Judeth.zip
Judith.zip
Judithe.zip
Katherine.zip
Katheryne.zip
Leonard.zip
Leonarde.zip
Margaret.zip
Margarett.zip
Margerie.zip
Margerye.zip
Margret.zip
Margrett.zip
Marie.zip
Martha.zip
Mary.zip
Marye.zip
Michael.zip
Mychaell.zip
Nathaniel.zip
Nathaniell.zip
Nathanyell.zip
Nicholas.zip
Nicholaus.zip
Nycholas.zip
Peter.zip
Ralph.zip
Rebecka.zip
Richard.zip
Richarde.zip
Robert.zip
Roberte.zip
Roger.zip
Rose.zip
Rycharde.zip
Samuell.zip
Sara.zip
Sidney.zip
Sindony.zip
Stephen.zip
Susan.zip
Susanna.zip
Suzanna.zip
Sybell.zip
Sybyll.zip
Syndony.zip
Thomas.zip
Valentyne.zip
William.zip
Winifred.zip
Wynefrede.zip
Wynefreed.zip
Wynnefreede.zip

The virus copies itself as HIDN.EXE to the following directory:

C:\Documents and Settings\%User%\Application Data\hidn\hidn.exe

It also creates a rootkit to hide directories (and all files within them) which contain the word shared:

C:\Documents and Settings\%User%\Application Data\hidn\m_hook.sys ( 15360 bytes )

It also creates a copy of its ZIP file locally, and a fake error message:

C:\temp.zip
C:\error.gif

The error message appears as follows

A registry key is created to run itself again upon system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Run "drv_st_key" = C:\Documents and Settings\%User%\Application Data\hidn\hidn.exe

Additionally, the following Registry keys are added:

HKEY_CURRENT_USER\Software\firstruxzx\firstrun="1"

It deletes the following registry entry, to disable Safe Boot:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot

This worm attempts to terminate services of security programs with the the following filenames:

wuauserv
Aavmker4
ABVPN2K
ADBLOCK.DLL
ADFirewall
AFWMCL
Ahnlab task Scheduler
alerter
AlertManger
AntiVir Service
AntiyFirewall
ARP.DLL
aswMon2
aswRdr
aswTdi
aswUpdSv
Ati HotKey Poller
avast! Antivirus
avast! Mail Scanner
avast! Web Scanner
AVEService
AVExch32Service
AvFlt
Avg7Alrt
Avg7Core
Avg7RsW
Avg7RsXP
Avg7UpdSvc
AvgCore
AvgFsh
AVGFwSrv
AvgFwSvr
AvgServ
AvgTdi
AVIRAMailService
AVIRAService
avpcc
AVUPDService
AVWUpSrv
AvxIni
awhost32
backweb client - 4476822
BackWeb Client - 7681197
backweb client-4476822
Bdfndisf
bdftdif
bdss
BlackICE
BsFileSpy
BsFirewall
BsMailProxy
CAISafe
ccEvtMgr
ccPwdSvc
ccSetMgr
ccSetMgr.exe
CONTENT.DLL
DefWatch
DNSCACHE.DLL
drwebnet
dvpapi
dvpinit
ewido security suite control
ewido security suite driver
ewido security suite guard
F-Prot Antivirus Update Monitor
F-Secure Gatekeeper Handler Starter
firewall
fsbwsys
FSDFWD
FSFW
FSMA
FTPFILT.DLL
FwcAgent
fwdrv
Guard NT
HSnSFW
HSnSPro
HTMLFILT.DLL
HTTPFILT.DLL
IMAPFILT.DLL
InoRPC
InoRT
InoTask
Ip6Fw
Ip6FwHlp
KAVMonitorService
KAVSvc
KLBLMain
KPfwSvc
KWatch3
KWatchSvc
MAILFILT.DLL
McAfee Firewall
McAfeeFramework
McShield
McTaskManager
mcupdmgr.exe
MCVSRte
Microsoft NetWork FireWall Services
MonSvcNT
MpfService
navapsvc
Ndisuio
NDIS_RD
Network Associates Log Service
nipsvc
NISSERV
NISUM
NNTPFILT.DLL
NOD32ControlCenter
NOD32krn
NOD32Service
Norman NJeeves
Norman Type-R
Norman ZANDA
Norton AntiVirus Server
NPDriver
NPFMntor
NProtectService
NSCTOP
nvcoas
NVCScheduler
nwclntc
nwclntd
nwclnte
nwclntf
nwclntg
nwclnth
NWService
OfcPfwSvc
Outbreak Manager
Outpost Firewall
OutpostFirewall
PASSRV
PAVAGENTE
PavAtScheduler
PAVDRV
PAVFIRES
PAVFNSVR
Pavkre
PavProc
PavProt
PavPrSrv
PavReport
PAVSRV
PCCPFW
PCC_PFW
PersFW
Personal Firewall
POP3FILT.DLL
PREVSRV
PROTECT.DLL
PSIMSVC
qhwscsvc
wscsvc
Quick Heal Online Protection
ravmon8
RfwService
SAVFMSE
SAVScan
SBService
schscnt
SECRET.DLL
SharedAccess
SmcService
SNDSrvc
SPBBCSvc
SpiderNT
SweepNet
SWEEPSRV.SYS
Symantec AntiVirus Client
Symantec Core LC
The_Hacker_Antivirus
Tmntsrv
TmPfw
tmproxy
tmtdi
tm_cfw
T_H_S_M
V3MonNT
V3MonSvc
Vba32ECM
Vba32ifs
Vba32Ldr
Vba32PP3
VBCompManService
VexiraAntivirus
VFILT
VisNetic AntiVirus Plug-in
vrfwsvc
vsmon
VSSERV
WinAntivirus
WinRoute
wuauserv
xcomm

The worm uses the following list to stop running processes:

a2guard.exe
aavshield.exe
AckWin32.exe
ADVCHK.EXE
AhnSD.exe
airdefense.exe
ALERTSVC.EXE
ALMon.exe
ALOGSERV.EXE
ALsvc.exe
amon.exe
Anti-Trojan.exe
AntiVirScheduler
AntiVirService
ANTS.EXE
APVXDWIN.EXE
Armor2net.exe
ashAvast.exe
ashDisp.exe
ashEnhcd.exe
ashMaiSv.exe
ashPopWz.exe
ashServ.exe
ashSimpl.exe
ashSkPck.exe
ashWebSv.exe
aswUpdSv.exe
ATCON.EXE
ATUPDATER.EXE
ATWATCH.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
avciman.exe
Avconsol.exe
AVENGINE.EXE
avgamsvr.exe
avgcc.exe
AVGCC32.EXE
AVGCTRL.EXE
avgemc.exe
avgfwsrv.exe
AVGNT.EXE
avgntdd
avgntmgr
AVGSERV.EXE
AVGUARD.EXE
avgupsvc.exe
avinitnt.exe
AvkServ.exe
AVKService.exe
AVKWCtl.exe
AVP.EXE
AVP32.EXE
avpcc.exe
avpm.exe
AVPUPD.EXE
AVSCHED32.EXE
avsynmgr.exe
AVWUPD32.EXE
AVWUPSRV.EXE
AVXMONITOR9X.EXE
AVXMONITORNT.EXE
AVXQUAR.EXE
BackWeb-4476822.exe
bdmcon.exe
bdnews.exe
bdoesrv.exe
bdss.exe
bdsubmit.exe
bdswitch.exe
blackd.exe
blackice.exe
cafix.exe
ccApp.exe
ccEvtMgr.exe
ccProxy.exe
ccSetMgr.exe
CFIAUDIT.EXE
ClamTray.exe
ClamWin.exe
Claw95.exe
Claw95cf.exe
cleaner.exe
cleaner3.exe
CliSvc.exe
CMGrdian.exe
cpd.exe
DefWatch.exe
DOORS.EXE
DrVirus.exe
drwadins.exe
drweb32w.exe
drwebscd.exe
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
ewidoctrl.exe
EzAntivirusRegistrationCheck.exe
F-AGNT95.EXE
F-PROT95.EXE
F-Sched.exe
F-StopW.EXE
FAMEH32.EXE
FAST.EXE
FCH32.EXE
FireSvc.exe
FireTray.exe
FIREWALL.EXE
fpavupdm.exe
freshclam.exe
FRW.EXE
fsav32.exe
fsavgui.exe
fsbwsys.exe
fsdfwd.exe
FSGK32.EXE
fsgk32st.exe
fsguiexe.exe
FSM32.EXE
FSMA32.EXE
FSMB32.EXE
fspex.exe
fssm32.exe
gcasDtServ.exe
gcasServ.exe
GIANTAntiSpywareMain.exe
GIANTAntiSpywareUpdater.exe
GUARD.EXE
GUARDGUI.EXE
GuardNT.exe
HRegMon.exe
Hrres.exe
HSockPE.exe
HUpdate.EXE
iamapp.exe
iamserv.exe
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
INETUPD.EXE
InocIT.exe
InoRpc.exe
InoRT.exe
InoTask.exe
InoUpTNG.exe
IOMON98.EXE
isafe.exe
ISATRAY.EXE
ISRV95.EXE
ISSVC.exe
JEDI.EXE
KAV.exe
kavmm.exe
KAVPF.exe
KavPFW.exe
KAVStart.exe
KAVSvc.exe
KAVSvcUI.EXE
KMailMon.EXE
KPfwSvc.EXE
KWatch.EXE
livesrv.exe
LOCKDOWN2000.EXE
LogWatNT.exe
lpfw.exe
LUALL.EXE
LUCOMSERVER.EXE
Luupdate.exe
MCAGENT.EXE
mcmnhdlr.exe
mcregwiz.exe
Mcshield.exe
MCUPDATE.EXE
mcvsshld.exe
MINILOG.EXE
MONITOR.EXE
MonSysNT.exe
MOOLIVE.EXE
MpEng.exe
mpssvc.exe
MSMPSVC.exe
myAgtSvc.exe
myagttry.exe
navapsvc.exe
NAVAPW32.EXE
NavLu32.exe
NAVW32.EXE
NDD32.EXE
NeoWatchLog.exe
NeoWatchTray.exe
NISSERV
NISUM.EXE
NMAIN.EXE
nod32.exe
nod32krn.exe
nod32kui.exe
NORMIST.EXE
notstart.exe
npavtray.exe
NPFMNTOR.EXE
npfmsg.exe
NPROTECT.EXE
NSCHED32.EXE
NSMdtr.exe
NssServ.exe
NssTray.exe
ntrtscan.exe
NTXconfig.exe
NUPGRADE.EXE
NVC95.EXE
Nvcod.exe
Nvcte.exe
Nvcut.exe
NWService.exe
OfcPfwSvc.exe
OUTPOST.EXE
PAV.EXE
PavFires.exe
PavFnSvr.exe
Pavkre.exe
PavProt.exe
pavProxy.exe
pavprsrv.exe
pavsrv51.exe
PAVSS.EXE
pccguide.exe
PCCIOMON.EXE
pccntmon.exe
PCCPFW.exe
PcCtlCom.exe
PCTAV.exe
PERSFW.EXE
pertsk.exe
PERVAC.EXE
PNMSRV.EXE
POP3TRAP.EXE
POPROXY.EXE
prevsrv.exe
PsImSvc.exe
QHM32.EXE
QHONLINE.EXE
QHONSVC.EXE
QHPF.EXE
qhwscsvc.exe
RavMon.exe
RavTimer.exe
Realmon.exe
REALMON95.EXE
Rescue.exe
rfwmain.exe
Rtvscan.exe
RTVSCN95.EXE
RuLaunch.exe
SAVAdminService.exe
SAVMain.exe
savprogress.exe
SAVScan.exe
SCAN32.EXE
ScanningProcess.exe
sched.exe
sdhelp.exe
SERVIC~1.EXE
SHSTAT.EXE
SiteCli.exe
smc.exe
SNDSrvc.exe
SPBBCSvc.exe
SPHINX.EXE
spiderml.exe
spidernt.exe
Spiderui.exe
SpybotSD.exe
SPYXX.EXE
SS3EDIT.EXE
stopsignav.exe
swAgent.exe
swdoctor.exe
SWNETSUP.EXE
symlcsvc.exe
SymProxySvc.exe
SymSPort.exe
SymWSC.exe
SYNMGR.EXE
TAUMON.EXE
TBMon.exe
TC.EXE
tca.exe
TCM.EXE
TDS-3.EXE
TeaTimer.exe
TFAK.EXE
THAV.EXE
THSM.EXE
Tmas.exe
tmlisten.exe
Tmntsrv.exe
TmPfw.exe
tmproxy.exe
TNBUtil.exe
TRJSCAN.EXE
Up2Date.exe
UPDATE.EXE
UpdaterUI.exe
upgrepl.exe
Vba32ECM.exe
Vba32ifs.exe
vba32ldr.exe
Vba32PP3.exe
VBSNTW.exe
vchk.exe
vcrmon.exe
VetTray.exe
VirusKeeper.exe
VPTRAY.EXE
vrfwsvc.exe
VRMONNT.EXE
vrmonsvc.exe
vrrw32.exe
VSECOMR.EXE
Vshwin32.exe
vsmon.exe
vsserv.exe
VsStat.exe
WATCHDOG.EXE
WebProxy.exe
Webscanx.exe
WEBTRAP.EXE
WGFE95.EXE
Winaw32.exe
winroute.exe
winss.exe
winssnotify.exe
WRADMIN.EXE
WRCTRL.EXE
xcommsvr.exe
zatutor.exe
ZAUINST.EXE
zlclient.exe
zonealarm.exe
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE

It also prevents the following list of files from running:

filtnt.sys
guardnt.sys
zonealarm.exe
zlclient.exe
zatutor.exe
VsStat.exe
Vshwin32.exe
Vba32PP3.exe
vba32ldr.exe
Vba32ifs.exe
Vba32ECM.exe
upgrepl.exe
Up2Date.exe
tmproxy.exe
TmPfw.exe
Tmntsrv.exe
symlcsvc.exe
spiderml.exe
SPBBCSvc.exe
SNDSrvc.exe
RuLaunch.exe
regedt32.exe
regedit.exe
Realmon.exe
QHPF.EXE
PcCtlCom.exe
pccguide.exe
outpost.exe
Nvcut.exe
Nvcte.exe
Nvcod.exe
npfmsg.exe
NPFMNTOR.EXE
nod32kui.exe
nod32.exe
NAVAPSVC.EXE
Mcshield.exe
Luupdate.exe
LUALL.EXE
KAVPF.exe
kavmm.exe
KAV.exe
isafe.exe
InoUpTNG.exe
InocIT.exe
INETUPD.EXE
GuardNT.exe
GUARDGUI.EXE
freshclam.exe
drwebupw.exe
drwebscd.exe
drweb32w.exe
drwadins.exe
CMGrdian.exe
ClamWin.exe
ClamTray.exe
CCSETMGR.EXE
CCEVTMGR.EXE
ccApp.exe
cafix.exe
bdswitch.exe
bdsubmit.exe
bdnews.exe
bdmcon.exe
AVWUPD32.EXE
Avsynmgr.exe
AVSCHED32.EXE
AVGNT.EXE
avgemc.exe
avgcc.exe
Avconsol.exe
AUPDATE.EXE
ashWebSv.exe
ashSkPck.exe
ashSimpl.exe
ashPopWz.exe
ashEnhcd.exe
ashDisp.exe
ashAvast.exe
kavsvc.exe
bdmcon.exe
vsserv.exe
bdnews.exe
livesrv.exe
mcupdate.exe
frameworkservice.exe
upgrader.exe
apvxdwin.exe
LuComServer_2_5.EXE
lucomserver_2_6.exe
drwebupw.exe
nod32krn.exe

Symptoms

Symptoms -

Outgoing messages matching the described characteristics

Files/Registry keys as described

Method of Infection

Method of Infection -

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

Email Adress Harvesting Component

Email addresses harvested from infected machines are uploaded to a page at the following sites.

http://www.titanmotors.com/images/1/
http://veranmaisala.com/1/
http://wklight.nazwa.pl/1/
http://yongsan24.co.kr/1/
http://accesible.cl/1/
http://hotelesalba.com/1/
http://amdlady.com/1/
http://inca.dnetsolution.net/1/
http://www.auraura.com/1/
http://avataresgratis.com/1/
http://beyoglu.com.tr/1/
http://brandshock.com/1/
http://www.buydigital.co.kr/1/
http://camaramafra.sc.gov.br/1/
http://camposequipamentos.com.br/1/
http://cbradio.sos.pl/1/
http://c-d-c.com.au/1/
http://www.klanpl.com/1/
http://coparefrescos.stantonstreetgroup.com/1/
http://creainspire.com/1/
http://desenjoi.com.br/1/
http://www.inprofile.gr/1/
http://www.diem.cl/1/
http://www.discotecapuzzle.com/1/

It also tries to download a file from the following list of sites:

http://ujscie.one.pl/
http://1point2.iae.nl/
http://appaloosa.no/
http://apromed.com/
http://arborfolia.com/
http://pawlacz.com/
http://areal-realt.ru/
http://bitel.ru/
http://yetii.no-ip.com/
http://art4u1.superhost.pl/
http://www.artbed.pl/
http://art-bizar.foxnet.pl/
http://www.jonogueira.com/
http://asdesign.cz/
http://ftp-dom.earthlink.net/
http://www.aureaorodeley.com/
http://www.autoekb.ru/
http://www.autovorota.ru/
http://avenue.ee/
http://www.avinpharma.ru/
http://ouarzazateservices.com/
http://stats-adf.altadis.com/
http://bartex-cit.com.pl/
http://bazarbekr.sk/
http://gnu.univ.gda.pl/
http://bid-usa.com/
http://biliskov.com/
http://biomedpel.cz/
http://blackbull.cz/
http://bohuminsko.cz/
http://bonsai-world.com.au/
http://bpsbillboards.com/
http://cadinformatics.com/
http://canecaecia.com/
http://www.castnetnultimedia.com/
http://compucel.com/
http://continentalcarbonindia.com/
http://ceramax.co.kr/
http://prime.gushi.org/
http://www.chapisteriadaniel.com/
http://charlesspaans.com/
http://chatsk.wz.cz/
http://www.chittychat.com/
http://checkalertusa.com/
http://cibernegocios.com.ar/
http://5050clothing.com/
http://cof666.shockonline.net/
http://comaxtechnologies.net/
http://concellodesandias.com/
http://www.cort.ru/
http://donchef.com/
http://www.crfj.com/
http://kremz.ru/
http://dev.jintek.com/
http://foxvcoin.com/
http://uwua132.org/
http://v-v-kopretiny.ic.cz/
http://erich-kaestner-schule-donaueschingen.de/
http://vanvakfi.com/
http://axelero.hu/
http://kisalfold.com/
http://vega-sps.com/
http://vidus.ru/
http://viralstrategies.com/
http://svatba.viskot.cz/
http://Vivamodelhobby.com/
http://vkinfotech.com/
http://vytukas.com/
http://waisenhaus-kenya.ch/
http://watsrisuphan.org/
http://www.ag.ohio-state.edu/
http://wbecanada.com/
http://calamarco.com/
http://vproinc.com/
http://grupdogus.de/
http://knickimbit.de/
http://dogoodesign.ch/
http://systemforex.de/
http://zebrachina.net/
http://www.walsch.de/
http://hotchillishop.de/
http://innovation.ojom.net/
http://massgroup.de/
http://web-comp.hu/
http://webfull.com/
http://welvo.com/
http://www.ag.ohio-state.edu/
http://poliklinika-vajnorska.sk/
http://wvpilots.org/
http://www.kersten.de/
http://www.kljbwadersloh.de/
http://www.voov.de/
http://www.wchat.cz/
http://www.wg-aufbau-bautzen.de/
http://www.wzhuate.com/
http://zsnabreznaknm.sk/
http://xotravel.ru/
http://ilikesimple.com/
http://yeniguntugla.com/

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Global Sites

Need Help?

Threat Center

Segment Navigation

Section Navigation

Content

W32/Bagle.fb@MM

Risk Assessment

Tab Navigation

Overview

Aliases

Characteristics

Symptoms

Method of Infection

Removal

Variants

Variants

All Information

Overview -

Aliases

Characteristics

Characteristics -

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Variants

Variants -

Threat Resources

Footer