Sponsor for PC Pals Forum
« previous next »
Pages: [1]   Go Down

Author Topic: W32/Bagle-AA  (Read 659 times)

Offline Clive

  • Administrator
  • *****
  • Posts: 74245
  • Won Quiz of the Year 2015,2016,2017, 2020, 2021
W32/Bagle-AA
« on: May 07, 2004, 14:21 »
Aliases
Win32/Bagle.AB, WORM_BAGLE.Z, I-Worm.Bagle.z
 
Type
Win32 worm
 
Sophos has received many reports of this worm from the wild.

Description
W32/Bagle-AA is a member of the W32/Bagle family of worms.
When first run W32/Bagle-AA will display a fake error message containing the text "Can't find a viewer associated with the file".

W32/Bagle-AA copies itself to the Windows system folder with the filename drvddll.exe and then runs the worm from that location.

The email sent by the worm may use one of the following subject lines:

Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
New changes
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document

The following registry entry is created so that the worm is run when a user
logs on to Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\drvddll.exe = drvddll.exe

W32/Bagle-AA scans all fixed drives recursively for WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM and JSP files, extracts email addresses from them and uses those addresses for the mass mailing component of the worm.

The worm will create copies of itself with the following filenames in folders that contain the string "shar" in their name:

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

W32/Bagle-AA attempts to terminate the following processes:

 an enormous list follows, which can be found at:

http://www.sophos.com/virusinfo/analyses/w32bagleaa.html
Logged

Offline Tony

  • Loyal Member
  • *****
  • Posts: 3367
    • http://www.sugrue.ndo.co.uk
Re:W32/Bagle-AA
« Reply #1 on: May 14, 2004, 00:57 »
I had three of these today, two from the same source mind "City Index" of all people, not that I use them mind. But they should know better being in the financial services sector.

And one from a girl called Jessica, nice photo, s**t attachment   ;D

Things must be really bad out there,  if I'm getting virus attacks.
Logged
Athiesm is a non-prophet organization.

Show unread posts since last visit.
Pages: [1]   Go Up
« previous next »
Sponsor for PC Pals Forum