W32/Bagle.AF

 Virus Information - W32/Bagle.AF:

W32/Bagle.AF is a mass mailing worm. This worm infects Windows systems. The worm spreads through email and shared drives on the network.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected email will be any one of the following;

Re: Thank you!
Update
Site changes
Re: Incoming Message
Re: Yahoo!
Re: Thanks :)
Re: Document
RE: Message Notify
Re: Msg reply
Re: Hi
Re: Hello
RE: Text message
RE: Incoming Message
RE: Protected message
Encrypted document
Protected message
Incoming message
Notification
Forum notify
Fax Message
Changes..

The body of the infected email will be the any one of the following;

See attach.
Read the attach.
Your file is attached.
Pay attention at the attach.
Please, read the document.
Your document is attached.
See the attached file for details.
Please, have a look at the attached file.
Check attached file for details.
Attached file tells everything.
Attach tells everything.
More info is in attach
Message is in attach
Check attached file.
Here is the file.

It carries any one of the following infected attachment;

Readme
Message
Updates
MoreInfo
text_document
Information
Document
Details
Info

The extension of the attachment may be any one of the following;

zip
exe
scr
com
cpl
hta
vbs

Upon execution of the attachment, the worm copies itself as sysxp.exe in the Windows System folder. It drops sysxp.exeopen and sysxp.exeopenopen which are copies of the worm.

It alters the windows registry at the following location to load itself during next startup;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also creates several mutex to ensure only one instance of the worm is running. It also terminates some variants of W32/Netsky.

• AdmSkynetJklS003
• [SkyNet.cz]SystemsMutex
• ____--->>>>U<<<<--____
• MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
• 'D'r'o'p'p'e'd'S'k'y'N'e't'
• _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
• _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

The worm attempts create copies of itself in any folder that contains the substring shar. The worm files will have the following file names:

WinAmp 6 New!.exe
XXX hardcore images.exe
Porno pics arhive,xxx.exe
Windows Sourcecode update.doc.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Serials.txt.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Adobe Photoshop 9 full.exe
Porno Screensaver.scr
Microsoft Windows XP, WinXP Crack, working Keygen.exe
ACDSee 9.exe
Matrix 3 Revolution English Subtitles.exe
Kaspersky Antivirus 5.0
KAV 5.0
Microsoft Office 2003 Crack, Working!.exe
Ahead Nero 7.exe

The worm also tries to terminate the processes of security related softwares.

To propagate itself, the worm scans the infected machine for the files having the following extensions and collects all the available email addresses;

.xml, .xls, .wsh, .wab, .uin, .txt, .tbb, .stm, .shtm, .sht, .pl, .php, .oft, .ods, .mbx, .jsp, .htm, .eml, .dhtm, .dbx, .nch, .msg, .mmf, .mht, .mdx, .cgi, .cfg, .asp, .adb.

The worm uses its own SMTP engine to mail itself to these email addresses.