Bagle worm variant warns

You are here : Home→Topics→Latest Threats→Bagle worm variant warns

Antivirus Software Essentials
Free Virus Removal Tools Top Windows Antivirus Top Spyware Scanners Top Internet Scams Email Hoaxes and Myths

Antivirus Offers
AntiVirus Coupon AntiVirus Gold Hardware AntiVirus Windows 95 AntiVirus AntiVirus McFee

Topics
Antivirus Reviews Free Antivirus Software Spyware / Adware Latest Threats Internet Scams Security Tips Viruses Explained Types of Viruses

Buyer's Guide
Gifts for Geeks and Gamers Antivirus Software for Windows Security Books for Home Users Antivirus Software Review

links
Related Links Helpful Links

Visitor Focus
Software Free Download Freeware Download Global Info System Matrix Directory Free Antivirus Software

Latest Threats

Bagle worm variant warns

Written by lifang

February 20, 2008 15:19

Type: Bagle worm variant that spreads via email and fileshares/P2P networks.

Discovered: March 2, 2006

Aliases: W32/Bagle-DO (Sophos), W32/Bagle.dy@MM (McAfee), Email-Worm.Win32.Bagle.fr (Kaspersky), W32.Beagle.DX@mm (Symantec), WORM_BAGLE.DQ (Trend Micro), Win32/Bagle.AN (CA), Win32.Bagle.FM@mm (BitDefender), Worm/Bagle.FS (Avira)

The email sent by this variant of the Bagle worm spoofs (impersonates) the From sender. The subject line will be one of the following:

Pay your debts before we come to you
Call to your lawer immidiately
Lawsuit against you
We wait your response

Three messages may be sent by the worm, all of a legal nature and all beginning with:

LAWSUIT AGAINST YOU (CLICK TO ATTACHED DOCUMENT FOR MORE INFORMATION)

The rest of the email plagiarizes example letters from various legal resources.

For example, one "Lawsuit Against You" email complains of receiving an unsolicited fax.

A second "Lawsuit Against You" email revolves around an identity theft / credit dispute. That letter was taken verbatim from a sample letter found on the Credit InfoCenter website.

The third "Lawsuit Against You" email revolves around a faulty auto repair claim aimed at Tucker's Fix-It-Quick Garage, and is taken from the Nolo legal resource website.

The email carries one of the following named attachments:

lawsuit.exe
explanation.exe
documents.exe

This Bagle variant installs itself to the Windows System directory as win32lib.exe and modifies the HKCU\..Run key to load this file whenever Windows is started.

The W32/Bagle-DO (Sophos), W32/Bagle.dy@MM (McAfee), Email-Worm.Win32.Bagle.fr (Kaspersky), W32.Beagle.DX@mm (Symantec), WORM_BAGLE.DQ (Trend Micro), Win32/Bagle.AN (CA), Win32.Bagle.FM@mm (BitDefender), Worm/Bagle.FS (Avira) also tries to spread via P2P networks. To do so, it copies itself to any folders with the string 'shar' in its foldername. The copies of the worm are named as follows:

Adobe Photoshop 9 full.exe
Ahead Nero 10.exe
Britney Spears sex photos.exe
IE beta 7.exe
Porno Screensaver.scr
Serials 2005 database.exe
Serials.txt.exe
Windown Vista Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
anna benson sex video.exe
barrett jackson nude photos, movies, porn video.exe
jenna elfman sex anal deepthroat.exe
kate beckinsale nude pictures.exe
miss america Porno, sex, oral, anal cool, awesome!!.exe
paris hilton Porno pics arhive, xxx.exe

This variant of the Bagle worm also tries to download additional malware from a wide range of hardcoded website locations.

To remove this variant of the Bagle worm, update your antivirus software, scan your system and remove any infected files found.