W32/Bagle.CF Worm

 Virus Information - W32/Bagle.CF Worm:

W32/Bagle.CF is a mass mailing worm. This worm is a variant of W32/Bagle.A. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected email will be any one of the following;

Random Alphabets
The picture is sent on SMS
Is sent SMS

It carries any one of the following infected attachment;

Beach.zip
In_park.zip
Kitten.zip
Legs.zip
new.zip
original.zip

Upon execution of the attachment, the worm copies itself as svc.exe in the Windows system folder.

It alters the windows registry at the following location to load itself during next startup;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n

It also creates several mutex to ensure only one instance of the worm is running. It also terminates some variants of W32/Netsky.

AdmSkynetJklS003
[SkyNet.cz]SystemsMutex
____--->>>>U<<<<--____
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

This worm tries to send a copy of a Trojan to the email address gathered from downlaoded files from the following web sites.

http://[BLOCKED].com/images/web.php
http://[BLOCKED]ontracting.com/2/web.php
http://[BLOCKED].org/images/web.php

The worm uses its own SMTP engine to mail the trojan to these email addresses.