Request Services
  Data Systems Services
  About Data Systems
  News & Announcements
 
Virus Alert
Virus Hoaxes
  Quick Links
  Classroom Reservations
  Equipment Reservations
  Software Downloads
 
Data Systems Only! (Password Protected)
  Live Remote Assistance
 


W32/Bagle.ab@MM

08/10/04 - W32/Bagle.ab@MM spreads via e-mail. It follows the routine below:

This variant is a very minor change from W32/Bagle.aa@MM . It is packed using UPX. The ZIP files and the scripts within the messages created by this virus are picked up with 4354 and higher DATs as W32/Bagle.gen!pwdzip and W32/Bagle.aa@MM respectively.

This is a mass-mailing worm with the following characteristics:

contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
attachment can be a password-protected zip file, with the password included in the message body.
contains a remote access component (notification is sent to hacker)
copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

When executed it will display a false message as follows:

Mail Propagation

The details are as follows:

From : (address is spoofed)

Subject:

Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
New changes
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document

Body Text:

Uses various constructed strings

Attachment: May be one of the follwing:

Information
Details
text_document
Readme
Document
Info
the_message
Details
MoreInfo
Message
You_will_answer_to_me
Half_Live
Counter_strike
Loves_money
the_message
Alive_condom
Joke
Toy
Nervous_illnesses
Manufacture
You_are_dismissed
Your_complaint
Your_money
Smoke
I_search_for_you

using one the following extensions:

Script dropper - using one of the following file extensions:
HTA
VBS
Executable, using one of the following file extensions:
exe
scr
com
cpl
Executable dropper, CPL file with .CPL file extension.

More info on this worm:
http://vil.nai.com/vil/content/v_125089.htm

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_125089.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger

Back to the top