Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Bagle.A

Win32/Bagle.A is a worm spreading in the form of a file in the attachment of an e-mail. Its body is not compressed, it has a random file name with the "exe" extension and it's size is 15872 bytes. The sender address is a random e-mail address, which means it is not the address of the actual infected computer spreading the worm. The worm arrives with a Subject line: "Hi". The body contains the following text:

Test =)
amjscyqovdejfpxt
--
Test, yep.

The string in the second line is random string changing each time the worm spread itself. The icon of the attached file is a calculator and upon its opening, besides its harmful activities, it also launches the system calculator (calc.exe). The worm is active only if the system date is set to be prior January 28 th 2004. The worm copies itself on the disk with the file name "bbeagle.exe".

The worm registers itself in the following registry:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d3dupdate.exe" = " %systemdir% \bbeagle.exe"

And it creates a new key:

[HKEY_CURRENT_USER\Software\Windows98]
"uid"= random number
"frun"=dword:00000001

The worm acquires addresses for its spreading from files with the following extensions: wab, txt, htm and html. It skips the addresses containing the following strings: "@hotmail.com", "@msn.com", "@microsoft", "@avp" and "r1".

The worm is capable of downloading an executable file from the internet and run on the infected computer. The worm connects to the following web sites:

http://www.elrasshop.de/1.php
http://www.it-msc.de/1.php
http://www.getyourfree.net/1.php
http://www.dmdesign.de/1.php
http://64.176.228.13/1.php
http://www.leonzernitsky.com/1.php
http://216.98.136.248/1.php
http://216.98.134.247/1.php
http://www.cdromca.com/1.php
http://www.kunst-in-templin.de/1.php
http://vipweb.ru/1.php
http://antol-co.ru/1.php
http://www.bags-dostavka.mags.ru/1.php
http://www.5x12.ru/1.php
http://bose-audio.net/1.php
http://www.sttngdata.de/1.php
http://wh9.tu-dresden.de/1.php
http://www.micronuke.net/1.php
http://www.stadthagen.org/1.php
http://www.beasty-cars.de/1.php
http://www.polohexe.de/1.php
http://www.bino88.de/1.php
http://www.grefrathpaenz.de/1.php
http://www.bhamidy.de/1.php
http://www.mystic-vws.de/1.php
http://www.auto-hobby-essen.de/1.php
http://www.polozicke.de/1.php
http://www.twr-music.de/1.php
http://www.sc-erbendorf.de/1.php
http://www.montania.de/1.php
http://www.medi-martin.de/1.php
http://vvcgn.de/1.php
http://www.ballonfoto.com/1.php
http://www.marder-gmbh.de/1.php
http://www.dvd-filme.com/1.php
http://www.smeangol.com/1.php

Win32/Bagle.A is one of a long series of worms that NOD32 detects using a unique "Advanced Heuristics", which means that all NOD32 users are protected against this worm from the time it was released in the wild. The detection of Win32/Bagle.A using sample is added since version 1.601.

PROTECT YOUR COMPUTER!
ESET's NOD32 provides comprehensive, easy-to-use, and affordable protection from today's and tomorrow's threats. We put the malware expert inside the software, so you don't have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 

Solutions - Products - Purchase - Download - Support - Threat Center - Partners - Company - Global Sites
© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.