W32/Bagle-O

Discussion in 'malware problems & news' started by Marianna, Mar 15, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Type
    Win32 worm

    Description
    W32/Bagle-O is an email worm which sends itself via its own SMTP engine to addresses harvested from your hard disk. The worm searches for files with the following extensions:
    WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, JSP.

    When run the worm copies itself to the Windows system folder using the name winupd.exe.

    Note that W32/Bagle-O is also a parasitic virus which infects EXE files already
    present on your hard disk (infected files are detected as W32/Bagle-N). If you run an infected program the worm file will reappear, just as if you had opened an infected email attachment. Be sure to replace or to disinfect files infected in this way to prevent winupd.exe from reappearing. (See the Recovery section below.)

    W32/Bagle-O adds the value:

    winupd.exe = <SYSTEM>\winupd.exe

    to the registry entry:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    This means that W32/Bagle-O runs every time you logon to your computer.

    W32/Bagle-O avoids email addresses containing the following:


    More: http://www.sophos.com/virusinfo/analyses/w32bagleo.html
     
Thread Status:
Not open for further replies.