i-worm.bagle.
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
I-Worm.Bagle.a
This worm spreads via the Internet in an attachment to infected emails.
The worm itself is a Window PE EXE file of approximately 15KB.
Messages sent by the worm have the following characteristics:
From:
random sender
Subject:
Hi
Body:
Test =)
Signature:
Test, yep
Attach:
random name
Installation
The worm is activated only if a user clicks on the attached file. When installing, the worm copies itself to the system directory under the name 'bbeagle.exe' and registers this file in the system registry auto-run key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d3dupdate.exe" = "%system%\bbeagle.exe"
The worm will also run the Windows application calc.exe.
The worm attempts to connect to several remote sites relating to TrojanProxy.Win32.Mitglieder.
Replication
The worm looks for files with the extensions wab, txt, htm, html, r1 and scans them for email-like text strings, then sends infected messages to the email addresses found.
The worm uses an SMTP engine to send infected messages.
Backdoor function
The worm opens port 6777 to listen for commands. The backdoor function allows the attacker to download files and execute commands on the infected computer.
Other
If the system date is later than 28th January 2004, the worm will not have any effect.
Copyright @2006 i-worm.bagle.