Malware type: Worm

Aliases: W32.Beagle.X@mm(Symantec), W32/Bagle-AA(Sophos), Email-Worm.Win32.Bagle.z(Kaspersky), Worm/Bagle.AA(Avira), W32/Bagle.aa@MM(McAfee)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Description: 

This memory-resident worm spreads via email and network shares. Upon execution, it drops a copy of itself in the Windows system folder using any of the following file names:

• DRVDDLL.EXE
• DRVDDLL.EXEOPEN
• DRVDDLL.EXEOPENOPEN

It uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate.

The following are sample email messages that this worm sends out:

It gathers target email addresses from files with certain extension names and skips those addresses that contain particular strings.

In its attempt to propagate via network shares, this worm drops copies of itself in folders that contain the string shar in their folder names.

This malware has backdoor capabilities. It listens to port 2535 for commands from a remote malicious user.

It terminates several antivirus and security programs and attempts to connect to specific Web sites. It also deletes registry entries that automatically execute WORM_NETSKY variants.

This UPX-compressed malware runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Apr. 29, 2004 12:00:00 AM GMT -0800
Description updated: May. 10, 2004 7:27:52 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.