Aliases
Win32/Bagle.AB, WORM_BAGLE.Z, I-Worm.Bagle.z
Type
Win32 worm
Sophos has received many reports of this worm from the wild.
Description
W32/Bagle-AA is a member of the W32/Bagle family of worms.
When first run W32/Bagle-AA will display a fake error message containing the text "Can't find a viewer associated with the file".
W32/Bagle-AA copies itself to the Windows system folder with the filename drvddll.exe and then runs the worm from that location.
The email sent by the worm may use one of the following subject lines:
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
New changes
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
The following registry entry is created so that the worm is run when a user
logs on to Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\drvddll.exe = drvddll.exe
W32/Bagle-AA scans all fixed drives recursively for WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM and JSP files, extracts email addresses from them and uses those addresses for the mass mailing component of the worm.
The worm will create copies of itself with the following filenames in folders that contain the string "shar" in their name:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
W32/Bagle-AA attempts to terminate the following processes:
an enormous list follows, which can be found at:http://www.sophos.com/virusinfo/analyses/w32bagleaa.html