Win32/Bagle [Threat Name] go to Threat
Win32/Bagle.AS [Threat Variant Name]
Category | worm |
Short description
Win32/Bagle.AS is a worm that spreads via e-mail and shared folders.
Installation
When executed, the červ copies itself into the %system% folder using the following names:
- wingo.exe
- wingo.exeopen
- wingo.exeopenopen
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "wingo"="C:\WINNT\system32\wingo.exe"
Spreading via e-mail
E-mail addresses for further spreading are searched for in local files with one of the following extensions:
- .wab
- .txt
- .msg
- .htm
- .shtm
- .stm.
- .xml
- .dbx
- .mbx
- .mdx
- .eml
- .nch
- .mmf
- .ods
- .cfg
- .asp
- .php
- .pl
- .wsh
- .adb
- .tbb
- .sht
- .xls
- .oft
- .uin
- .cgi
- .mht
- .dhtm
- .jsp
Addresses containing the following strings are avoided:
- @avp.
- @foo
- @hotmail
- @iana
- @messagelab
- @microsoft
- @msn
- abuse
- admin
- anyone@
- bsd
- bugs@
- cafee
- certific
- contract@
- f-secur
- feste
- free-av
- gold-certs@
- help@
- icrosoft
- info@
- kasp
- linux
- listserv
- local
- news
- nobody@
- noone@
- noreply
- ntivi
- panda
- pgp
- postmaster@
- rating@
- root@
- samples
- sopho
- spam
- support
- unix
- update
- winrar
- winzip
Subject of the message is one of the following:
- Re:
- Re: Hello
- Re: Thank you!
- Re: Thanks :)
- Re: Hi
Body of the message is one of the following:
- :)
- :))
The attachment is an executable of the worm. Its filename is one of the following:
- Price
- price
- Joke
The filename has one of the following extensions:
- .exe
- .scr
- .com
- .cpl
Spreading via shared folders
The worm searches for various shared folders.
The executables of the worm are copied there using the following names:
- wingo.exe
- wingo.exeopen
- wingo.exeopenopen
Other information
The following programs are terminated:
- alogserv.exe
- APVXDWIN.EXE
- ATUPDATER.EXE
- AUPDATE.EXE
- AUTODOWN.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- Avconsol.exe
- AVENGINE.EXE
- AVPUPD.EXE
- Avsynmgr.exe
- AVWUPD32.EXE
- AVXQUAR.EXE
- bawindo.exe
- blackd.exe
- ccApp.exe
- ccEvtMgr.exe
- ccProxy.exe
- ccPxySvc.exe
- CFIAUDIT.EXE
- DefWatch.exe
- DRWEBUPW.EXE
- ESCANH95.EXE
- ESCANHNT.EXE
- FIREWALL.EXE
- FrameworkService.exe
- ICSSUPPNT.EXE
- ICSUPP95.EXE
- LUALL.EXE
- LUCOMS~1.EXE
- mcagent.exe
- mcshield.exe
- MCUPDATE.EXE
- mcvsescn.exe
- mcvsrte.exe
- mcvsshld.exe
- navapsvc.exe
- navapw32.exe
- NISUM.EXE
- nopdb.exe
- NPROTECT.EXE
- NUPGRADE.EXE
- OUTPOST.EXE
- PavFires.exe
- pavProxy.exe
- pavsrv50.exe
- Rtvscan.exe
- RuLaunch.exe
- SAVScan.exe
- SHSTAT.EXE
- SNDSrvc.exe
- symlcsvc.exe
- UPDATE.EXE
- UpdaterUI.exe
- Vshwin32.exe
- VsStat.exe
- VsTskMgr.exe