- 'Cannot find a viewer associated with the file'
Bagle.AD creates various mutexes designed to prevent variants of the Netsky worm from running. Bagle.AD also deletes Run registry key values containing any of the following:
9XHtProtect
Antivirus
EasyAV
FirewallSvr
HtProtect
ICQ Net
ICQNet
Jammer2nd
KasperskyAVEng
MsInfo
My AV
NetDy
Norton Antivirus AV
PandaAVEngine
service
SkynetsRevenge
Special Firewall Service
SysMonXP
Tiny AV
Zone Labs Client Ex
Bagle.AD drops a copy of itself to the Windows system folder as 'loader_name.exe' and modifies the registry to load this copy of the worm when Windows is started:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"reg_key" = "%system%\loader_name.exe"
Note: By default, the Windows system directory is:
Windows 95/98/ME --> C:\Windows\System
Windows NT/2-2000 --> C:\Winnt\System32
Windows XP --> C:\Windows\System32
Bagle.AD also drops/creates:
cplstub.exe (Windows directory)
loader_name.exeopen (Windows system directory)
loader_name.exeopenopen (Windows system directory)
Bagle.AD also creates copies of itself to folders containing 'shar' in their foldername. Filenames will be one of the following:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
Bagle.AD harvests email addresses from a range of file types found on infected users' systems.
Bagle.AD also opens a backdoor on TCP port 1234, presumably for use as an email relay. However, bugs in the routine cause the communication between client and server to fail.
Previous: Email characteristics
