Protector Plus Download Antivirus
Home
Download Antivirus
Antivirus Products
Order Antivirus


Antivirus Software for Windows XP/2000/2003
Antivirus Software for Windows Me/98
Antivirus Software for Exchange 2000/2003
Antivirus Software for NetWare

W32/Bagle.DF Worm

Name W32/Bagle.DF Worm
Aliases WORM_BAGLE.DF
Discovered on February 28, 2006

 Virus Information - W32/Bagle.DF Worm:

W32/Bagle.DF is a mass mailing worm. The worm will infect Windows systems and spreads through email and network.

The subject of the infected mail will be be any one of the following;

You are a criminal and will be busted!
Phshing is illegal
You steal from innocent people
Where did you learn to scam?

The body of the infected mail will be any one of the following;

Hi!

Just to inform you that your email is used by a spamer who intends
to steal bank account information thru a fake site.

If you are not involded, I can bring you additionnal information.
Check attached file for a proof.

If you are, you're a little son of a bitch.

Dude,

I found your email from whois info of a web page that was used in spam
and illigal activity, please do something or you will be sued and busted.

Was very dumb to leave your email, asshole!
P.S Attached file is self-exatracting archive with information
about your criminal activity.

Hey pal. Do you know, that your webpage paypalll.comprovides a phishing attack?

Open attached file for a proof
hmmmm it's quite nice, but I think that cops would be interested in it.

So my friend. take the page away and put a Appologize on it.
Or the Police will hear from me.
Cya my friend

The name of the infected attachment will be any one of the following;

whois_info.exe
your_info.exe
Myscreenshot.exe
Scam.exe
Proof.exe

It also randomly adds a text file named report.txt at the end of the attachment. The text file contains the following text:

++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.com

Upon execution, the worm copies itself as windll32lib.exe in Windows System folder.

It also drops windll32lib.exeopen and windll32lib.exeopenopen in Windows System folder.

The worm modifies registry at the following location to load itself during each startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the following extensions and collects the available email addresses from the infected system;

sht, pl, mmf, cfg, dbx, cgi, asp, adb, dhtm, eml, htm, jsp, mbx, mht, mdx, msg, nch, ods, oft, php, shtm, stm, tbb, txt, uin, wab, wsh, xls and xml.

It mails itself to these addresses using its own SMTP engine.

It searches the network for shared folders with the shar and copies itself as any one of the following;

miss america Porno, sex, oral, anal cool, awesome!!.exe
Windown Vista Beta Leak.exe
Adobe Photoshop 9 full.exe
kate beckinsale nude pictures.exe
anna benson sex video.exe
jenna elfman sex anal deepthroat.exe
barrett jackson nude photos, movies, porn video.exe
paris hilton Porno pics arhive, xxx.exe
Ahead Nero 10.exe
Britney Spears sex photos.exe
IE beta 7.exe
Serials 2005 database.exe
Windows Sourcecode update.doc.exe
Serials.txt.exe
XXX hardcore images.exe
Porno Screensaver.scr

It downloads a file from it's pre-configured list of websites.

Anti virus for Windows Download Now!

Home Page Download Antivirus Antivirus Products Order Antivirus

Copyright © 2005 Proland Software.All rights reserved

antivirus software, anti virus software, anti virus, download antivirus, download anti virus, free antivirus, free anti virus, antivirus, download, free, windows, windows xp, xp, sp2, windows me, windows 2000, 98, 95, nt, me, 2003, netware, anti-virus, virus, worm, trojan, protector, plus, proland, virus software, spyware