New Bagle variant plagues users
Friday October 29, 2004
Three new Bagle variants were discovered in the early morning hours on October 29th. One of the variants began quickly spreading in email.
Name: Bagle.AT (Trend Micro), Bagle.AU (Sophos), and Bagle.AW (Symantec)
Characteristics:
Bagle.AT (Trend) spoofs the From address. The email sent by the worm has the following characteristics:
Subject may be any of the following:
Re:
Re: Hello
Re: Thanks :)
Message body may be any of the following:
:)
:))
Attachment may be named either of the following:
PRICE
JOKE
The attachment extension may be any of the following:
COM
CPL
EXE
SCR
When executed, the worm drops copies of itself to the Windows system folder as:
WINGO.EXE
WINGO.EXEOPEN
WINGO.EXEOPENOPEN
and modifies the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key, adding the following:
wingo = “%System%\wingo.exe”
This allows the worm to activate each time Windows is restarted.
Bagle.AT copies itself to folders with the string 'shar' in the foldername. This could lead to further spread over networks and P2P fileshares. Names used include:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Bagle.AT harvests email addresses from various files on infected systems. It stops processes associated with certain antivirus and security software, attempts to connect to various websites, and removes edits made by certain Netsky worm variants. (These Netsky variants have similar routines which attempt to remove various Bagle variants).
Characteristics:
Bagle.AT (Trend) spoofs the From address. The email sent by the worm has the following characteristics:
Subject may be any of the following:
Re:
Re: Hello
Re: Thanks :)
Message body may be any of the following:
:)
:))
Attachment may be named either of the following:
PRICE
JOKE
The attachment extension may be any of the following:
COM
CPL
EXE
SCR
When executed, the worm drops copies of itself to the Windows system folder as:
WINGO.EXE
WINGO.EXEOPEN
WINGO.EXEOPENOPEN
and modifies the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key, adding the following:
wingo = “%System%\wingo.exe”
This allows the worm to activate each time Windows is restarted.
Bagle.AT copies itself to folders with the string 'shar' in the foldername. This could lead to further spread over networks and P2P fileshares. Names used include:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Bagle.AT harvests email addresses from various files on infected systems. It stops processes associated with certain antivirus and security software, attempts to connect to various websites, and removes edits made by certain Netsky worm variants. (These Netsky variants have similar routines which attempt to remove various Bagle variants).
Comments
No comments yet. Leave a Comment