Bagle.AQ (McAfee), a.k.a. Bagle.AC (Trend Micro) copies itself to the Windows System directory as windll.exe and also drops windll.exeopen and windll.exeopenopen to the same location.
Note: By default, the Windows system directory is:
Windows 95/98/ME --> C:\Windows\System
Windows NT/2-2000 --> C:\Winnt\System32
Windows XP --> C:\Windows\System32
Bagle.AQ then modifies the system registry to load when Windows is started:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"erthgdr" = "C:\WINNT\SYSTEM32\windll.exe"
Bagle.AQ opens a backdoor on TCP and UDP ports 2480. As with previous variants, Bagle.AQ attempts to shutdown certain security processes found running on infected systems; avoids sending itself to certain email addresses; harvests email addresses from a range of file types on infected systems and sends itself to those addresses; and removes certain registry edits, including those related to some Netsky variants. (The Netsky worm attempts to remove certain Bagle variants. See 'War of the worms' for details.).
The filenames used for folder names containing the string 'shar' are as follows:
- Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
See Also: Email characteristics