|
Description:
This mass-mailing, memory-resident worm propagates via email using a built-in mailing engine that utilizes Simple Mail Transfer Protocol (SMTP).
Details of its email can be found in the Technical Details section.
This worm also propagates via network shares. However, it does not deliberately search for all available shared folders. Instead, it searches for local folders with names that contain the character string “shar.” It assumes that these folders are shared and drops a copy of itself into these folders.
It uses attractive file names (like Adobe Photoshop 9 full.exe and Porno Screensaver.scr) for its copies so that other users who have access to the folders are enticed into obtaining the files. This propagation technique usually works on systems running peer-to-peer file sharing applications like Kazaa.
This worm is also a backdoor. It opens TCP port 1080 and random UDP ports to allow remote communication via these ports. It awaits and processes predefined commands that are sent through these ports. This backdoor capability allows unauthorized users to access and manipulate infected systems.
This BAGLE variant continues to assail NETSKY worms by deleting registry entries created by members of the NETSKY family. It also assails security programs by terminating them.
It has another trait common to different BAGLE variants - a predefined self-termination date. If the system date is May 5, 2006, it stops running and deletes registry entries that it has created to automatically start with Windows.
This worm runs on Windows 95, 98, ME, NT, 2000, and XP.
For additional information about this threat, see:
Solution
Technical Details
Description created: Jul. 19, 2004 10:52:53 AM GMT -0800
Description updated: Jul. 19, 2004 12:27:53 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
