Subject: (may be any one of the following)
Changes..
Encrypted document
Fax Message
Forum notify
Incoming message
Notification
Protected message
Re: Document
Re: Hello
Re: Hi
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Re: Msg reply
RE: Protected message
RE: Text message
Re: Thank you!
Re: Thanks :)
Re: Yahoo!
Site changes
Update
Message body: (may be any one of the following)
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Here is the file.
Message is in attach
More info is in attach
Pay attention at the attach.
Please, have a look at the attached file.
Please, read the document.
Read the attach.
See attach.
See the attached file for details.
Your document is attached.
Your file is attached.
Attachment: (may be any one of the following)
Details
Document
Info
Information
Message
Readme
text_document
Updates
Extension: (may be any one of the following)
COM
CPL
EXE
HTA
SCR
VBS
ZIP
Bagle.AF may also send itself as a password-protected ZIP file, in which case the password will either be included in the body of the email or attached as a .GIF file.
Action on infection
Upon infection, Bagle.AF copies itself to the Windows system directory as sysxp.exe and modifies the system registry to load when Windows is started:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "key" = "%winsysdir%\sysxp.exe"
Note: By default, the Windows system directory is:
Windows 95/98/ME --> C:\Windows\System
Windows NT/2-2000 --> C:\Winnt\System32
Windows XP --> C:\Windows\System32