WORM_BAGLE.AH

WORM_BAGLE.AH is a new variant of the BAGLE worm that spreads via email and network shares. It affects Windows 95, 98, ME, NT, 2000, and XP. This mass-mailing, memory-resident worm propagates via email using a built-in mailing engine that utilizes Simple Mail Transfer Protocol (SMTP). The email it sends contains the following information:

From: <spoofed>

Subject: Re:

Message body: (any of the following)
• >Animals
• >foto3
• >fotogalary
• >fotoinfo
• >Lovely animals
• >Predators
• >Screen
• >The snake

Attachment: (any of the following)
• Cat
• Cool_MP3
• Dog
• Doll
• Fish
• Garry
• MP3
• Music_MP3
• New_MP3_Player

The attachment can have any of the following extension names:
• .com
• .cpl
• .exe
• .scr
• .zip

This worm also propagates via network shares, but does not deliberately search for all available shared folders. Instead, it searches for local folders with names that contain the character string “shar.” It assumes that these folders are shared and drops a copy of itself into these folders.

This worm is also a backdoor. It opens ports to allow remote communication and awaits and processes predefined commands that are sent through these ports. This backdoor capability allows unauthorized users to access and manipulate infected systems.

This BAGLE variant continues to attack NETSKY worms by deleting registry entries created by members of the NETSKY family. It also terminates security programs.

It has another trait common to different BAGLE variants; a predefined self-termination date. If the system date is May 5, 2006, it stops running and deletes the registry entries that allowed it to automatically run at every Windows startup.

If you would like to scan your computer for WORM_BAGLE.AH or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_BAGLE.AH is detected and cleaned by Trend Micro pattern file #944 and above.