1. About.com
  2. Computing & Technology
  3. Antivirus Software
About.com
Antivirus Software

Bagle worm variant warns: 'Lawsuit Against You'

From , former About.com Guide

Filed In:
  1. Malware Information

Type: Bagle worm variant that spreads via email and fileshares/P2P networks.

Discovered: March 2, 2006

Aliases: W32/Bagle-DO (Sophos), W32/Bagle.dy@MM (McAfee), Email-Worm.Win32.Bagle.fr (Kaspersky), W32.Beagle.DX@mm (Symantec), WORM_BAGLE.DQ (Trend Micro), Win32/Bagle.AN (CA), Win32.Bagle.FM@mm (BitDefender), Worm/Bagle.FS (Avira)

The email sent by this variant of the Bagle worm spoofs (impersonates) the From sender. The subject line will be one of the following: 

Pay your debts before we come to you 
Call to your lawer immidiately 
Lawsuit against you 
We wait your response

Three messages may be sent by the worm, all of a legal nature and all beginning with:

LAWSUIT AGAINST YOU (CLICK TO ATTACHED DOCUMENT FOR MORE INFORMATION)

The rest of the email plagiarizes example letters from various legal resources. For example, one "Lawsuit Against You" email complains of receiving an unsolicited fax. The message text was lifted from the KEYTLaw.com website.

A second "Lawsuit Against You" email revolves around an identity theft / credit dispute. That letter was taken verbatim from a sample letter found on the Credit InfoCenter website.

The third "Lawsuit Against You" email revolves around a faulty auto repair claim aimed at Tucker's Fix-It-Quick Garage, and is taken from the Nolo legal resource website.

The email carries one of the following named attachments: 

lawsuit.exe 
explanation.exe 
documents.exe

This Bagle variant installs itself to the Windows System directory as win32lib.exe and modifies the HKCU\..Run key to load this file whenever Windows is started.

The W32/Bagle-DO (Sophos), W32/Bagle.dy@MM (McAfee), Email-Worm.Win32.Bagle.fr (Kaspersky), W32.Beagle.DX@mm (Symantec), WORM_BAGLE.DQ (Trend Micro), Win32/Bagle.AN (CA), Win32.Bagle.FM@mm (BitDefender), Worm/Bagle.FS (Avira) also tries to spread via P2P networks. To do so, it copies itself to any folders with the string 'shar' in its foldername. The copies of the worm are named as follows: 

Adobe Photoshop 9 full.exe 
Ahead Nero 10.exe 
Britney Spears sex photos.exe 
IE beta 7.exe 
Porno Screensaver.scr 
Serials 2005 database.exe 
Serials.txt.exe 
Windown Vista Beta Leak.exe 
Windows Sourcecode update.doc.exe 
XXX hardcore images.exe 
anna benson sex video.exe 
barrett jackson nude photos, movies, porn video.exe 
jenna elfman sex anal deepthroat.exe 
kate beckinsale nude pictures.exe 
miss america Porno, sex, oral, anal cool, awesome!!.exe 
paris hilton Porno pics arhive, xxx.exe

This variant of the Bagle worm also tries to download additional malware from a wide range of hardcoded website locations.

To remove this variant of the Bagle worm, update your antivirus software, scan your system and remove any infected files found.

©2012 About.com. All rights reserved. 

A part of The New York Times Company.