Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

Win32/Bagle.B

Win32/Bagle.B is a worm spreading in the form of an e-mail file attachment. It runs on Windows OS 95/98/Me/2000/XP and 2003 server. Its body is compressed using the UPX utility. The file name is random with " exe " extension. When compressed the file size is 11264 bytes. After decompression the file size increases to 53Kb. The sender address is a random e-mail address, which means it is not the address of the actual infected user spreading the worm. The worm comes in a message with the following subject:ID * ... thanks
Where "*" stands for a random string generated by the worm. The body contains the following message:

Yours ID *
--
Thank

Where "*" stands for a random string generated by the worm. The name of the attached file has a random name too.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

The worm copies itself into the Windows system directory as " au.exe ". It registers itself in the registry as follows:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "au.exe" = "%systemdir% \au.exe"

In the key HKEY_CURRENT_USER\SOFTWARE\Windows2000 it creates an entry names gid .

The worm installs a backdoor into the system and them spreads via e-mail. The worm acquires addresses for its spreading from files with the following extensions: wab , txt , htm and  html . It skips the addresses containing the following strings: " @hotmail.com ", " @msn.com ", " @microsoft " and " @avp ".

The worm is capable of downloading an executable file from the internet and run on the infected computer. It connects to the following web sites.

http://www.47df.de/wbboard/1.php
http://www.strato.de/1.php
http://intern.games-ring.de/1.php
http://www.strato.de/2.php

Win32/Bagle.B is one of a long series of worms that NOD32 detects using a unique " Advanced Heuristics ", which means that all NOD32 users are protected against this worm from the time it was released in the wild. The detection of Win32/Bagle.B using sample is added since version 1.626.

1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.