W32/Bagle.D

 Virus Information - W32/Bagle.D:

W32/Bagle.D is a mass mailing worm.This worm is a variant of W32/Bagle.C. The worm will infect Windows systems and spreads through email.

Infected email carries a spoofed 'From' and 'to' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

Accounts department
Ahtung!
Camila
Daily activity report
Flayers among us
Freedom for everyone
From Hair-cutter
From me
Greet the day
Hardware devices
Hello my friend
Hi!
Jenny
Jessica
Looking for the report
Maria
Melissa
Monthly incomings summary
New Price-list
Price list
Price-list
Pricelist
Proclivity to servitude
Registration confirmation
The account
The employee
The summary
USA government abolishes the capital punishment
Weekly activity report
Well...
You are dismissed
You really love me?he he
price
price-list

The body of the infected mail will be blank.

It carries the following infected attachment;

<random characters>.zip

Upon execution of the attachment, the worm copies the following files Readme.exe, Doc.exe, Readme.exeopen, Onde.exe in the Windows System folder.

It alters the windows registry at the following location to load itself during next startup;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also attempts to terminate the following processes belonging to security software:

ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE

To propagate itself, the worm scans the following extensions and collects the available email addresses from the infected system;

.cfg, .asp, .php, .txt, .htm, .html, .dbx, .mdx, .eml, .nch, .mmf, .ods, .pl, .adb, .sht, .wab.

The worm uses its own SMTP engine to mail itself to these email addresses.