Protector Plus Download Antivirus
Home
Download Antivirus
Antivirus Products
Order Antivirus


Antivirus Software for Windows XP/2000/2003
Antivirus Software for Windows Me/98
Antivirus Software for Exchange 2000/2003
Antivirus Software for NetWare

W32/Bagle.N

NameW32/Bagle.N
AliasesW32/Bagle.n@MM, Bagle.N, W32/Bagle.N@mm . Bagle, PE, virus
Discovered on 13th March 2004

 Virus Information - W32/Bagle.N:

W32/Bagle.N is a mass mailing worm. The worm will infect Windows systems. This worm spreads through email and shared drives on the network. This worm is polymorphic in nature and infects Windows PE files.

Infected mail carries a spoofed 'From' address, picked up randomly from the infected system or from any other shared network drive connected to the infected system.

The subject of the infected email will be any one of the following;

Warning about your e-mail account.
Site changes
Request response
Re: Yahoo!
Re: Thanks :)
Re: Thank you!
RE: Text message
RE: Protected message
Re: Document
Re: Msg reply
Re: Incoming Message
Re: Incoming Fax
Re: Hi
Re: Hello
Protected message
Notify from e-mail technical support.
Notify about your e-mail account utilization.
Notify about using the e-mail account.
Incoming message
Important notify about your e-mail account.
Important notify
Hidden message
Account notify
Forum notify
Fax Message Received
Encrypted document
Email report
Email account utilization warning.
E-mail warning
E-mail technical support warning.
E-mail technical support message.
E-mail account security warning.
E-mail account disabling warning.

The body of the infected email will be random which includes password information.

It carries any one of the following infected attachment;

text_document
TextDocument
Text Readme
pub_document
MoreInfo
Message
Information
Info
Gift
first_part
Encrypted
Document
details
Attach

The extension of the attachment may be any one of the following;

.zip, .rar, .pif, .exe.

Upon execution of the attachment, the worm copies itself as WINUPD.EXE in the Windows System folder. It drops WINUPD.EXEOPEN and WINUPD.EXEOPENOPEN which are copies of the worm. It creates a file WINUPD.EXEOPENOPENOPEN, which contains password information.  It also checks for a word 'shar' in the available shared folders in both local and network, if found the worm copies itself to these folders using the following filenames;

XXX hardcore images.exe
Windows Sourcecode update.doc.exe
Windown Longhorn Beta Leak.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Serials.txt.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Porno pics arhive, xxx.exe
Opera 8 New!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Office 2003 Crack, Working!.exe
Matrix 3 Revolution English Subtitles.exe
Ahead Nero 7.exe
Adobe Photoshop 9 full.exe
ACDSee 9.exe

It alters the windows registry at the following location to load itself during next startup;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also attempts to terminate processes related to Protector Plus antivirus and other security related softwares.

To propagate itself, the worm scans the infected machine for the files having the following extensions and collects all the available email addresses;

.xml, .xls, .wsh, .wab, .uin, .txt, .tbb, .stm, .shtm, .sht, .pl, .php, .oft, .ods, .mbx, .jsp, .htm, .eml, .dhtm, .dbx, .nch, .msg, .mmf, .mht, .mdx, .cgi, .cfg, .asp, .adb.

The worm uses its own SMTP engine to mail itself to these email addresses.

Anti virus for Windows Download Now!

Home Page Download Antivirus Antivirus Products Order Antivirus

Copyright © 2005 Proland Software.All rights reserved

antivirus software, anti virus software, anti virus, download antivirus, download anti virus, free antivirus, free anti virus, antivirus, download, free, windows, windows xp, xp, sp2, windows me, windows 2000, 98, 95, nt, me, 2003, netware, anti-virus, virus, worm, trojan, protector, plus, proland, virus software, spyware