Malware type: Worm

Aliases: Email-Worm.Win32.Bagle.bu (Kaspersky), W32/Bagle.dldr.gen (McAfee), W32.Beagle.AO@mm (Symantec), TR/Bagle.N (Avira), W32/Bagle-M (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

To get a one glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.

Malware Overview

This worm propagates by mass-mailing copies of its Trojan component. In turn, this Trojan downloads a copy of this worm from several Web sites.

The email that it sends has the following details:

From: {Spoofed email address}
Subject: Foto
Message body: (any of the following)
• Foto
• Pass - {password of the attachment}
• Password - {password of the attachment}
• Password: {password of the attachment}
• The password is {password of the attachment}
Attachment: (any of the following)
• Foto.zip
• fotos.zip

It gathers target email addresses from the affected user's Windows Address Book (WAB).

It also has backdoor capabilities. It opens and listens to port 80, and sets the affected system to act as a Web server. It also downloads a file from a Web server.

It also removes instances of NETSKY worms from the affected system.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jul. 25, 2005 11:57:03 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.