Win32/Bagle [Threat Name] go to Threat

Win32/Bagle.AS [Threat Variant Name]

Category worm
Detection created Oct 29, 2004
Detection database version 1688
Short description

Win32/Bagle.AS is a worm that spreads via e-mail and shared folders.

Installation

When executed, the červ copies itself into the %system% folder using the following names:

  • wingo.exe
  • wingo.exeopen
  • wingo.exeopenopen

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "wingo"="C:\­WINNT\­system32\­wingo.exe"
Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • .wab
  • .txt
  • .msg
  • .htm
  • .shtm
  • .stm.
  • .xml
  • .dbx
  • .mbx
  • .mdx
  • .eml
  • .nch
  • .mmf
  • .ods
  • .cfg
  • .asp
  • .php
  • .pl
  • .wsh
  • .adb
  • .tbb
  • .sht
  • .xls
  • .oft
  • .uin
  • .cgi
  • .mht
  • .dhtm
  • .jsp

Addresses containing the following strings are avoided:

  • @avp.
  • @foo
  • @hotmail
  • @iana
  • @messagelab
  • @microsoft
  • @msn
  • abuse
  • admin
  • anyone@
  • bsd
  • bugs@
  • cafee
  • certific
  • contract@
  • f-secur
  • feste
  • free-av
  • gold-certs@
  • google
  • help@
  • icrosoft
  • info@
  • kasp
  • linux
  • listserv
  • local
  • news
  • nobody@
  • noone@
  • noreply
  • ntivi
  • panda
  • pgp
  • postmaster@
  • rating@
  • root@
  • samples
  • sopho
  • spam
  • support
  • unix
  • update
  • winrar
  • winzip

Subject of the message is one of the following:

  • Re:
  • Re: Hello
  • Re: Thank you!
  • Re: Thanks :)
  • Re: Hi

Body of the message is one of the following:

  • :)
  • :))

The attachment is an executable of the worm. Its filename is one of the following:

  • Price
  • price
  • Joke

The filename has one of the following extensions:

  • .exe
  • .scr
  • .com
  • .cpl
Spreading via shared folders

The worm searches for various shared folders.


The executables of the worm are copied there using the following names:

  • wingo.exe
  • wingo.exeopen
  • wingo.exeopenopen
Other information

The following programs are terminated:

  • alogserv.exe
  • APVXDWIN.EXE
  • ATUPDATER.EXE
  • AUPDATE.EXE
  • AUTODOWN.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • Avconsol.exe
  • AVENGINE.EXE
  • AVPUPD.EXE
  • Avsynmgr.exe
  • AVWUPD32.EXE
  • AVXQUAR.EXE
  • bawindo.exe
  • blackd.exe
  • ccApp.exe
  • ccEvtMgr.exe
  • ccProxy.exe
  • ccPxySvc.exe
  • CFIAUDIT.EXE
  • DefWatch.exe
  • DRWEBUPW.EXE
  • ESCANH95.EXE
  • ESCANHNT.EXE
  • FIREWALL.EXE
  • FrameworkService.exe
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • LUALL.EXE
  • LUCOMS~1.EXE
  • mcagent.exe
  • mcshield.exe
  • MCUPDATE.EXE
  • mcvsescn.exe
  • mcvsrte.exe
  • mcvsshld.exe
  • navapsvc.exe
  • navapw32.exe
  • NISUM.EXE
  • nopdb.exe
  • NPROTECT.EXE
  • NUPGRADE.EXE
  • OUTPOST.EXE
  • PavFires.exe
  • pavProxy.exe
  • pavsrv50.exe
  • Rtvscan.exe
  • RuLaunch.exe
  • SAVScan.exe
  • SHSTAT.EXE
  • SNDSrvc.exe
  • symlcsvc.exe
  • UPDATE.EXE
  • UpdaterUI.exe
  • Vshwin32.exe
  • VsStat.exe
  • VsTskMgr.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.