W32/Bagle.U

 Virus Information - W32/Bagle.U:

W32/Bagle.U is a mass mailing worm. This worm will infect Windows systems and spreads through email.

Content and the subject of the email will be blank. It carries an infected attachment with random filename with .exe extension.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

Upon execution of the attachment, the worm copies itself as gigabit.exe in the Windows System folder. It also searches the game file Mshearts.exe, if found tries to execute it.

It also alters the windows registry at the following location to load itself during next startup;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software

To propogate itself the worm scans all the files present in the infected system having the following extensions and collects all the available email addresses.

.pl, .rtf, .oft, .txt, .uin, .jsp, .tbb, .cgi, .sht, .vbs, .doc, .dbx, .asp, .adb, .php, .htm, .eml, .xml, .wab, .wsh, .msg, .html, .dhtm, .shtm

The worm mails itself to these addresses using its own SMTP engine.

The worm does not mail itself to email addresses containing the following strings:

@microsoft
@avp

The worm opens port 4751 to allow access to the infected computer.