|
Description:
Like other BAGLE variants, the success of this worm may be attributed to its plain and brief email messages that bear the following details:
From:<spoofed>
Subject any of the following
• Re:
• Re: Hello
• Re: Hi
• Re: Thank you!
• Re: Thanks :)
Message body: any of the following
• :)
• :))
Attachment:
any of the following
• PRICE
• JOKE
with the following extension names
• COM
• CPL
• EXE
• SCR
This worm scans an infected system for files with certain extension names to acquire its target recipients. It then uses its own SMTP engine and the domain servers of its harvested email addresses for its mailing routine. Unsuspecting users may then receive email messages from trusted acquaintances and readily execute the attachment, thus launching this worm.
When run, it proceeds to drop copies of itself in folders with names containing the text string shar, or in shared folders. It also uses file names that appear legitimate and attractive. This enables this worm to propagate through the network as other users may accidentally download a copy of this worm thinking it is a normal application or a text file.
This worm also compromises system security by terminating several antivirus and security-related applications if found active on a system. It also connects to a list of Web sites where it may download components. It also opens port 81 for its backdoor activities.
Continuing a notable BAGLE routine, it attacks another worm family known as NETSKY. It deletes several registry entries and file names associated with NETSKY. It also creates several mutexes that prevent the execution of NETSKY variants on the infected machine.
It runs on Windows 95, 98, ME, NT, 2000, and XP.
 Behavior Diagram
For additional information about this threat, see:
Solution
Technical Details
Description created: Oct. 29, 2004 1:12:33 AM GMT -0800
Description updated: Oct. 29, 2004 4:14:19 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
