| |
|
|
| |
| Virus Information |
| |
| Profile | Prevalence:  Medium |
| |
| Name | W32/Bagle-cc |
| Type | Worm |
| How it spreads | Email Attachments |
| Affected operating systems | Windows |
| Aliases | W32/Bagle.dldr.gen |
| Date of surface | 29 August 2005 |
Description |
This Bagle variant is unable to propagate independently, and was mass mailed. Functionally, it is almost identical to Bagle.Bj and some modifications which are detected as Bagle.pac.
Infected messages either have an empty message subject and message body, or contain random text, and a random attachment name.
The body of the worm is attacked to infected messages in a ZIP file approximately 18KB in size.
The attachment may have the following name:
"to_reduce_the_tax.zip"
The worm itself is a Windows PE EXE file, packed using PEX. The packed file is approximately 36KB in size.
|
Recovery |
You have to remove the virus. You need to do one of the following things:
1) The latest virus vaccine update of eScan removes the worm from your system. Ensure that Internet access for your system is running. Right click on  and click Download eScan update. The latest updates are downloaded,your system is scanned and the worm is removed.
OR
2) Download the free MicroWorld Anti Virus Toolkit (MWAV Tool Kit). The tool checks your machine for viruses. If any illegal dialers or sniffer tools have been installed they are detected.
MWAV Tool Kit
(Download the free MicroWorld Anti Virus Toolkit that detects viruses in system registry and running processes)
Link 1
Link 2
Link 3
eScan Internet Security Suite (ISS)
(Download MicroWorld`s eScan that detects viruses in system registry,running processes and has a real time monitor)
Link 1
Link 2
Link 3
Link 4
Link 5
Link 6
|
Advanced |
This Bagle variant is unable to propagate independently, and was mass mailed. Functionally, it is almost identical to Bagle.Bj and some modifications which are detected as Bagle.pac.
Infected messages either have an empty message subject and message body, or contain random text, and a random attachment name.
The body of the worm is attacked to infected messages in a ZIP file approximately 18KB in size.
The attachment may have the following name:
"to_reduce_the_tax.zip"
The worm itself is a Windows PE EXE file, packed using PEX. The packed file is approximately 36KB in size.
Once launched, the worm opens the default text editing program (usually Notepad) to display an empty window.
When installing itself to the victim machine, the worm creates files named "winshost.exe" and "wiwshost.exe" in the Windows system directory.
%System%\winshost.exe
%System%\wiwshost.exe
It then registers these files in the system registry, ensuring that the worm will be launched each time Windows is rebooted on the victim machine:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"winshost.exe" = "%System%\winshost.exe"
This Bagle variant is unable to propagate independently, and was mass mailed using spammer techniques. |
|
|
|
|
| |
|
|
|