W32/Bagle.CD Worm

 Virus Information - W32/Bagle.CD Worm:

W32/Bagle.CD is a mass mailing worm. This worm is a variant of W32/Bagle.A. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected email will be Blank;

The body of the infected email will be the any one of the following;

The password is
Password:

It carries any one of the following infected attachment;

The_reporting_of_taxes
Taxes
Work and taxes
The_taxation
Increase_in_the_tax
To_reduce_the_tax

The extension of the attachment may be any one of the following;

rar
zip

Upon execution of the attachment, the worm copies itself as svc23.exe in the Windows system folder.

It alters the windows registry at the following location to load itself during next startup;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n

This worm tries to download re_file.exe file from the following web site;

http://[BLOCKED]a2/s3.php
http://[BLOCKED]a2/s1.php

It also tries to download eml.exe from a pre-configured list of web sites.

It also creates several mutex to ensure only one instance of the worm is running. It also terminates some variants of W32/Netsky.

AdmSkynetJklS003
[SkyNet.cz]SystemsMutex
____--->>>>U<<<<--____
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_