Jul 19 2004
Bagle.AI is a mass-mailing email worm that uses its own SMTP
engine to spread. The worm also propagates over shared folders which contain the string 'shar' in their foldername, allowing the worm easy spread over P2P filesharing networks. As with some previous variants, Bagle.AH avoids sending itself to a large number of domains, shuts down a wide array of security software, and removes registry edits made by certain variants of the Netsky worm.
The email composed by the Bagle.AI worm has the following characteristics: The From address is spoofed. The Subject reads simply 'Re:'. The Message Body contains any one of the following:
- Animals
foto3
fotogalary
fotoinfo
Lovely animals
Predators
Screen
The snake
The attachment will have an extension of .com, .cpl, .exe, .scr, or .zip and will be named one of the following:
- Cat
Cool_MP3
Dog
Doll
Fish
Garry
MP3
Music_MP3
New_MP3_Player
By default, Windows does not display the true file extension. Make sure file extension viewing is enabled.
Upon infection, Bagle.AI creates several copies of itself in the Windows system folder:
- winxp.exe
winxp.exeopen
winxp.exeopenopen
winxp.exeopenopenopen
winxp.exeopenopenopenopen
To launch when Windows is started, Bagle.AI modifies the registry as follows:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 'key' = "%sysdir%winxp.exe"
