Protector Plus Download Antivirus
Home
Download Antivirus
Antivirus Products
Order Antivirus


Antivirus Software for Windows XP/2000/2003
Antivirus Software for Windows Me/98
Antivirus Software for Exchange 2000/2003
Antivirus Software for NetWare

W32/Bagle.Q

NameW32/Bagle.Q
AliasesW32/Bagle.q@MM, W32/Bagle-Q
Discovered on 18th March, 2004

 Virus Information - W32/Bagle.Q:

W32/Bagle.Q is a mass mailing worm. The worm will infect Windows systems. This worm spreads through email and shared drives on the network. This worm is polymorphic in nature and infects Windows PE files.

The from address of infected email contains the recipient's <domain name> along with any one of the following user name.

antispam@
support@
staff@
management@
antivirus@
administration@
noreply@

The subject of the infected email will be any one of the following;

Important notify about your e-mail account.
Important notify
Hidden message
Forum notify
Fax Message Received
Encrypted document
Email report
Warning about your e-mail account.
Site changes
Request response
Re: Incoming Fax
Re: Hi
Re: Hello
Re: Document
Protected message
Notify from e-mail technical support.
Notify about your e-mail account utilization.
Notify about using the e-mail account.
Incoming message
Email account utilization warning.
E-mail warning
E-mail technical support warning.
E-mail technical support message.
E-mail account security warning.
E-mail account disabling warning.
Account notify
Re: Yahoo!
Re: Thanks :)
Re: Thank you!
RE: Text message
RE: Protected message
Re: Msg reply
Re: Incoming Message
Pass - <domain name>
Password: <domain name>
Password - <domain name>

The body of the infected email will be randomly generated by the worm.

The worm exploits the vulnerability of Object Tag in Internet Explorer to download and execute the worm file directs.exe from its own IP range.

It checks for a word 'shar' in the available shared folders in both local and network, if found the worm copies itself to these folders using the following filenames;

XXX hardcore images.exe
Windows Sourcecode update.doc.exe
Windown Longhorn Beta Leak.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Serials.txt.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Porno pics arhive, xxx.exe
Opera 8 New!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Office 2003 Crack, Working!.exe
Matrix 3 Revolution English Subtitles.exe
Ahead Nero 7.exe
Adobe Photoshop 9 full.exe
ACDSee 9.exe

It alters the windows registry at the following location to load itself during next startup;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also attempts to terminate processes related to antivirus and security related softwares.

To propagate itself, the worm scans the infected machine for the files having the following extensions and collects all the available email addresses;

.xml, .xls, .wsh, .wab, .uin, .txt, .tbb, .stm, .shtm, .sht, .pl, .php, .oft, .ods, .mbx, .jsp, .htm, .eml, .dhtm, .dbx, .nch, .msg, .mmf, .mht, .mdx, .cgi, .cfg, .asp, .adb.

The worm uses its own SMTP engine to mail itself to these email addresses.

Anti virus for Windows Download Now!

Home Page Download Antivirus Antivirus Products Order Antivirus

Copyright © 2005 Proland Software.All rights reserved

antivirus software, anti virus software, anti virus, download antivirus, download anti virus, free antivirus, free anti virus, antivirus, download, free, windows, windows xp, xp, sp2, windows me, windows 2000, 98, 95, nt, me, 2003, netware, anti-virus, virus, worm, trojan, protector, plus, proland, virus software, spyware