Type: Bagle worm variant that spreads via email and fileshares/P2P networks.
Discovered: March 2, 2006
Aliases: W32/Bagle-DO (Sophos), W32/Bagle.dy@MM (McAfee), Email-Worm.Win32.Bagle.fr (Kaspersky), W32.Beagle.DX@mm (Symantec), WORM_BAGLE.DQ (Trend Micro), Win32/Bagle.AN (CA), Win32.Bagle.FM@mm (BitDefender), Worm/Bagle.FS (Avira)
The email sent by this variant of the Bagle worm spoofs (impersonates) the From sender. The subject line will be one of the following:
Pay your debts before we come to you
Call to your lawer immidiately
Lawsuit against you
We wait your response
Three messages may be sent by the worm, all of a legal nature and all beginning with:
LAWSUIT AGAINST YOU (CLICK TO ATTACHED DOCUMENT FOR MORE INFORMATION)
The rest of the email plagiarizes example letters from various legal resources. For example, one "Lawsuit Against You" email complains of receiving an unsolicited fax. The message text was lifted from the KEYTLaw.com website.
A second "Lawsuit Against You" email revolves around an identity theft / credit dispute. That letter was taken verbatim from a sample letter found on the Credit InfoCenter website.
The third "Lawsuit Against You" email revolves around a faulty auto repair claim aimed at Tucker's Fix-It-Quick Garage, and is taken from the Nolo legal resource website.
The email carries one of the following named attachments:
lawsuit.exe
explanation.exe
documents.exe
This Bagle variant installs itself to the Windows System directory as win32lib.exe and modifies the HKCU\..Run key to load this file whenever Windows is started.
The W32/Bagle-DO (Sophos), W32/Bagle.dy@MM (McAfee), Email-Worm.Win32.Bagle.fr (Kaspersky), W32.Beagle.DX@mm (Symantec), WORM_BAGLE.DQ (Trend Micro), Win32/Bagle.AN (CA), Win32.Bagle.FM@mm (BitDefender), Worm/Bagle.FS (Avira) also tries to spread via P2P networks. To do so, it copies itself to any folders with the string 'shar' in its foldername. The copies of the worm are named as follows:
Adobe Photoshop 9 full.exe
Ahead Nero 10.exe
Britney Spears sex photos.exe
IE beta 7.exe
Porno Screensaver.scr
Serials 2005 database.exe
Serials.txt.exe
Windown Vista Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
anna benson sex video.exe
barrett jackson nude photos, movies, porn video.exe
jenna elfman sex anal deepthroat.exe
kate beckinsale nude pictures.exe
miss america Porno, sex, oral, anal cool, awesome!!.exe
paris hilton Porno pics arhive, xxx.exe
This variant of the Bagle worm also tries to download additional malware from a wide range of hardcoded website locations.
To remove this variant of the Bagle worm, update your antivirus software, scan your system and remove any infected files found.
