Bagle.AD also includes a backdoor component presumably designed as a spam relay. According to antivirus researchers at Trend Micro, a bug in the client prevents the backdoor from functioning.
The Bagle.AD worm spoofs the From address and uses its own SMTP engine to send itself, composing an email with the following characteristics:
Subject:
Changes..
Encrypted document
Fax Message
Forum notify
Incoming message
Notification
Protected message
Re: Document
Re: Hello
Re: Hi
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Re: Msg reply
RE: Protected message
RE: Text message
Re: Thank you!
Re: Thanks :)
Re: Yahoo!
Site changes
Update
Message body:
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Here is the file.
Message is in attach
More info is in attach
Pay attention at the attach.
Please, have a look at the attached file.
Please, read the document.
Read the attach.
See attach.
See the attached file for details.
Your document is attached.
Your file is attached.
Attachment:
The attachment will be either a .hta, .vbs, .exe, .scr, .com. .cpl, or .zip and will be named any one of the following:
Information
Details
text_document
Updates
Readme
Document
Info
MoreInfo
Message
When ZIP files are used by Bagle.AD, the ZIP file may be password protected. Additionally, the password-protected attachment may also contain another .ZIP file named SOURCES.ZIP which contains the Bagle.AD source code.
Next: Action on infection
