W32/Bagle.AG

 Virus Information - W32/Bagle.AG:

W32/Bagle.AG is a mass mailing worm. This worm infects Windows systems. The worm spreads through email. The worm copies itself to folder that contain the string shar.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected email will be:

Re:

The body of the infected email will be the any one of the following;

foto3
Screen
The snake
Predators
Lovely animals
fotogalary
fotoinfo
Animals

It carries any one of the following infected attachment;

Cat
Doll
foto1
foto2
Garry
Secret
foto3
Fish
Dog

The extension of the attachment may be any one of the following;

exe
scr
com
cpl
zip

Upon execution of the attachment, the worm copies itself as SYS_XP.EXE in the Windows System folder. It drops SYS_XP.EXEOPEN and SYS_XP.EXEOPENOPEN which are copies of the worm.

It alters the windows registry at the following location to load itself during next startup;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It creates several mutex to ensure only one instance of the worm is running. It terminates some variants of W32/Netsky.

AdmSkynetJklS003
____--->>>>U<<<<--____
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
{z4wMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
[SkyNet.cz]SystemsMutex

The worm also tries to terminate the processes of security related softwares.

To propagate itself, the worm scans the infected machine for the files having the following extensions and collects all the available email addresses;

.xml, .xls, .wsh, .wab, .uin, .txt, .tbb, .stm, .shtm, .sht, .pl, .php, .oft, .ods, .mbx, .jsp, .htm, .eml, .dhtm, .dbx, .nch, .msg, .mmf, .mht, .mdx, .cgi, .cfg, .asp, .adb.

The worm uses its own SMTP engine to mail itself to these email addresses.