Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Win32/Bagle.B is a worm spreading in the form of an e-mail file attachment. It runs on Windows OS 95/98/Me/2000/XP and 2003 server. Its body is compressed using the UPX utility. The file name is random with " exe " extension. When compressed the file size is 11264 bytes. After decompression the file size increases to 53Kb. The sender address is a random e-mail address, which means it is not the address of the actual infected user spreading the worm. The worm comes in a message with the following subject:ID * ... thanks
Where "*" stands for a random string generated by the worm. The body contains the following message:

Yours ID *

Where "*" stands for a random string generated by the worm. The name of the attached file has a random name too.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

The worm copies itself into the Windows system directory as " au.exe ". It registers itself in the registry as follows:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "au.exe" = "%systemdir% \au.exe"

In the key HKEY_CURRENT_USER\SOFTWARE\Windows2000 it creates an entry names gid .

The worm installs a backdoor into the system and them spreads via e-mail. The worm acquires addresses for its spreading from files with the following extensions: wab , txt , htm and  html . It skips the addresses containing the following strings: " ", " ", " @microsoft " and " @avp ".

The worm is capable of downloading an executable file from the internet and run on the infected computer. It connects to the following web sites.

Win32/Bagle.B is one of a long series of worms that NOD32 detects using a unique " Advanced Heuristics ", which means that all NOD32 users are protected against this worm from the time it was released in the wild. The detection of Win32/Bagle.B using sample is added since version 1.626.