WORM_BAGZ.A

Discussion in 'malware problems & news' started by Randy_Bell, Oct 8, 2004.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    WORM_BAGZ.A is a memory-resident, mass-mailing worm which uses SMTP (Simple Mail Transfer Protocol) to propagate. It arrives as an attachment to an email with a spoofed From field and varying subjects, message bodies, and attachment file names. This non-destructive worm also drops multiple components in the Windows system folder upon execution. It runs on Windows 95, 98, ME, NT, 2000 and XP, and is currently spreading in-the-wild.

    Upon execution, this worm drops the following files in the Windows system folder: DRIVERS\NDISRD.SYS DL.EXE – downloads and executes a file from a remote site; IPDB.DLL; JOBDB.DLL; NDISAPI.DLL; NDISRD.SYS; SYSLOGIN.EXE – a mass-mailing component of this worm; TUTORIAL.DOC<numerous space characters>.EXE – a copy of this worm; TUTORIAL.ZIP - a .ZIP archive that contains the file; TUTORIAL.DOC<numerous space characters>.EXE

    It also adds a registry entry that allows it to automatically execute at every system startup, and uses Simple Mail Transfer Protocol (SMTP) to send multiple copies of itself. It arrives on a system as an attachment to an email with following details: {See the site tech-details for details of message body, subject, attachment}.

    If you would like to scan your computer for WORM_BAGZ.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

    WORM_BAGZ.A is detected and cleaned by Trend Micro pattern file 2.189.04 and above.
     
    Last edited: Oct 9, 2004
Thread Status:
Not open for further replies.