W32/Bagle.V

 Virus Information - W32/Bagle.V:

W32/Bagle.V is a mass mailing worm. This worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

Content and the subject of the email will be blank. It carries an infected attachment with random filename with .exe extension.

Upon execution of the attachment, the worm copies itself as sysinfo.exe in the Windows System folder. It also searches the game file Mshearts.exe, if found tries to execute it.

It also alters the windows registry at the following location to load itself during next startup;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software

To propogate itself the worm scans all the files present in the infected system having the following extensions and collects all the available email addresses.

.txt, .xml, .xls, .asp, .htm, .jsp, .cgi, .php, .dbx, .mbx, .mdx, .sht, .stm, .adb, .eml, .nch, .ods, .oft, .mht, .mmf, .msg, .cfg, .tbb, .uin, .wab, .wsh, .dhtm, .shtm.

The worm mails itself to these addresses using its own SMTP engine.

The worm does not mail itself to email addresses containing the following strings:

@microsoft
@avp

The worm opens port 4751 to allow access to the infected computer.