WORM_BAGLE.AD

Please note, this is not a copy-and-paste from Trend's Site, but is is synopsis of info from the TrendMicro NewsLetter which I have edited and made as concise as possible:

WORM_BAGLE.AD is a memory-resident worm that arrives via email (using its own SMTP engine to propagate) and network shares (by dropping copies of itself in folders with the word “shar” in the name). It runs on Windows 95, 98, ME, NT, 2000, and XP, and is currently spreading in-the-wild.

Upon execution, it drops copies of itself as the following files in the Windows system folder:

• loader_name.exe
• loader_name.exeopen
• loader_name.exeopenopen

If the file name is not loader_name.exe, it displays a fake error message. This worm also copies itself to all folders found in fixed drives, and containing the text string “shar”. It also creates a registry entry that allows it to automatically execute at every system startup. The worm creates this auto-start registry entry in an infinite loop.

This worm uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate. It searches for email addresses in files with the following extensions: ADB, ASP, CFG, CGI, DBX, DHTM, EML, HTM, JSP, MBX, MDX, MHT. MMF, MSG, NCH, ODS, OFT, PHP. PL, SHT, SHTM, STM, TBB, TXT, UIN, WAB, WSH, XLS, XML

It also spoofs the From: field using obtained email addresses.

The email it sends out has the following details:
Subject:

• Changes..
• Encrypted document
• Fax Message
• Forum notify
• Incoming message
• Notification
• Protected message
• Re: Document
• Re: Hello
• Re: Hi
• Re: Incoming Message
• RE: Incoming Msg
• RE: Message Notify
• Re: Msg reply
• RE: Protected message
• RE: Text message
• Re: Thank you!
• Re: Thanks
• Re: Yahoo!
• Site changes
• Update

Message body: (any of the following)

• Attach tells everything.
• Attached file tells everything.
• Check attached file for details.
• Check attached file.
• Here is the file.
• Message is in attach
• More info is in attach
• Pay attention at the attach.
• Please, have a look at the attached file.
• Please, read the document.
• Read the attach.
• See attach.
• See the attached file for details.
• Your document is attached.
• Your file is attached.

Attachment: (any of the following)

• Details
• Document
• Info
• Information
• Message
• MoreInfo
• Readme
• text_document
• Updates

The email attachment may have any of the following extension names: COM, CPL, EXE, HTA, SCR, VBS, ZIP

If the email attachment is a password-protected .ZIP file, it may use any of the following email formats:
Subject:

• Pass - %password%
• Password - %password%
• Password: %password%

Message body: (any of the following)

• Archive password: <image password>
• Attached file is protected with the password for security reasons. Password is <image password>
• For security purposes the attached file is password protected. Password -- <image password>
• For security reasons attached file is password protected. The password is <image password>
• In order to read the attach you have to use the following password: <image password>
• Note: Use password <image password> to open archive.
• Password - <image password>
• Password: <image password>

The password-protected email attachment contains a copy of this worm and another data file, which may have any of the following extension names: INI, CFG, TXT, VXD, DEF, DLL

The password-protected email attachment may also contain yet another .ZIP file, SOURCES.ZIP, which contains the worm’s source code.

This worm's code contains unreferenced text, which places the author in Germany and indicates that the code was written in late April 2004. The following is the actual text:

In a difficult world
In a nameless time
I want to survive
So, you will be mine!!
-- Bagle Author, 29.04.04, Germany.

If you would like to scan your computer for WORM_BAGLE.AD or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_BAGLE.AD is detected and cleaned by Trend Micro pattern file #930 and above.