W32/Bagle.AQ

 Virus Information - W32/Bagle.AQ:

W32/Bagle.AQ is a mass mailing worm. This worm will infect Windows systems and spreads through email. The worm also has a backdoor function, which opens UDP and TCP port.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the email will be blank.

The body of the infected mail will be:

new price

It carries any one of the following infected attachment:

new__price.zip
newprice.zip
08_price.zip
price.zip
price2.zip
price_08.zip
new_price.zip
price_new.zip

Upon execution of the attachment, the worm copies itself as windll.exe in the Windows System folder. It drops windll.exeopen and windll.exeopenopen which are copies of the worm.

It also alters the windows registry at the following location to load itself during next startup;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It creates several mutex to ensure only one instance of the worm is running. It terminates some variants of W32/Netsky.

_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
'D'r'o'p'p'e'd'S'k'y'N'e't'
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo

To propogate itself the worm scans all the files present in the infected system having the following extensions and collects all the available email addresses.

.txt, .xml, .xls, .asp, .htm, .jsp, .cgi, .php, .dbx, .mbx, .mdx, .sht, .stm, .adb, .eml, .nch, .ods, .oft, .mht, .mmf, .msg, .cfg, .tbb, .uin, .wab, .wsh, .dhtm, .shtm, .pl.

The worm mails itself to these addresses using its own SMTP engine.

The worm does not mail itself to email addresses containing the following strings:

@derewrdgrs
gold-certs@
@eerswqe
anyone@
rating@
f-secur
certific
update
winrar
winzip
noone@
@iana
abuse
admin
@avp.
@foo
bugs@
info@
kasp
news
pgp
bsd
spam
unix
ntivi
cafee
feste
linux
local
help@
panda
root@
sopho
google
free-av
nobody@
noreply
support
samples
listserv
icrosoft
postmaster@
@messagelab
@microsoft