Selected viruses, spyware, and other threats: sorted alphabetically
Win32/Bagle.AS is a worm, which arrives via email or shared folders. Its size is about 20kB. The worm will cease functioning after 04/25/2006 or after 20 days from its initial installation on the particular computer.
Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%
When executed, the worm will copy itself under the following names into the "system" directory:
To ensure automatic execution on system startup, it adds the following value to the registry:
Several values related to other worms are removed from this Registry key.
The worm tries to to stop several anti-virus and firewall applications:
To propagate via shared folders it searches for folders that contain 'shar' in their name and will copy itself there under these file names:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
To propagate via email it searches files with the following extensions for email addresses:
Addresses containing strings from the list below are avoided:
The worm uses its own routine to mass-mail itself. The messages have one of the following subjects:
Re: Thank you!
Re: Thanks :)
One of the following bodies:
Attachment name is one of the following:
with one of the following extensions:
It uses several icons for the executable. It is able to extract icons from executables on local drives. The worm contains a list of 145 links from where it tries to download a file and execute it. At this moment, all of the links are dead. Win32/Bagle.AS contains a backdoor running on TCP port 81.
NOD32 detected this worm using Advanced Heuristics without the need to update the virus database. Detection of Win32/Bagle.AS using a sample is available since version 1.911.
©1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.