|
Description:
Similar to the earlier BAGLE variant, WORM_BAGLE.AI, this worm does not directly send itself via email to target recipients as an email attachment. Instead, it uses a Trojan downloader component and an HTML script component to propagate.
(Note: Trend Micro detects the Trojan and HTML components as TROJ_BAGLE.AL and HTML_BAGLE.AL, respectively.)
Using its own SMTP (Simple Mail Transfer Protocol) engine, this worm sends email that contains the two components, which aid this worm in its propagation routine.
It harvests its target recipients from certain files found in the system.
The loader component HTML_BAGLE.AL is specifically designed to trigger the execution of the Trojan downloader component, while TROJ_BAGLE.AL downloads and executes this worm from a list of Web sites and saves it in the Windows folder.
Apart from the email propagation described, this worm also attempts to propagate via network shares by dropping copies of itself in folders that contain the string shar in their names. It assumes that these folders are shared in local networks or in peer-to-peer networks. It also uses enticing file names, most of which are related to popular applications.
Like earlier BAGLE variants, this worm also tries to remove instances of NETSKY worms from the infected system. It does this by creating mutexes that are mostly associated with earlier NETSKY variants.
(Note: Mutexes are exclusion objects that prevent processes from sharing the same resources. This worm uses the mutexes to prevent the NETSKY variants from running on infected systems.)
For additional information about this threat, see:
Solution
Technical Details
Description created: Aug. 31, 2004 7:31:17 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
