W32/Bagle.AQ

Subscribe to Virus Alert
Mailing List

Enter your Email
(Ex : john@company.com)

W32/Bagle.AQ Worm

Information about the W32/Bagle.AQ Worm:

W32/Bagle.AQ is a mass mailing worm. This worm will infect Windows systems and spreads through email. The worm also has a backdoor function, which opens UDP and TCP port.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the email will be blank.

The body of the infected mail will be:

new price

It carries any one of the following infected attachment:

new__price.zip
newprice.zip
08_price.zip
price.zip
price2.zip
price_08.zip
new_price.zip
price_new.zip

Upon execution of the attachment, the worm copies itself as windll.exe in the Windows System folder. It drops windll.exeopen and windll.exeopenopen which are copies of the worm.

It also alters the windows registry at the following location to load itself during next startup;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It creates several mutex to ensure only one instance of the worm is running. It terminates some variants of W32/Netsky.

_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
'D'r'o'p'p'e'd'S'k'y'N'e't'
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo

To propogate itself the worm scans all the files present in the infected system having the following extensions and collects all the available email addresses.

.txt, .xml, .xls, .asp, .htm, .jsp, .cgi, .php, .dbx, .mbx, .mdx, .sht, .stm, .adb, .eml, .nch, .ods, .oft, .mht, .mmf, .msg, .cfg, .tbb, .uin, .wab, .wsh, .dhtm, .shtm, .pl.

The worm mails itself to these addresses using its own SMTP engine.

The worm does not mail itself to email addresses containing the following strings:

@derewrdgrs
gold-certs@
@eerswqe
anyone@
rating@
f-secur
certific
update
winrar
winzip
noone@
@iana
abuse
admin
@avp.
@foo
bugs@
info@
kasp
news
pgp
bsd
spam
unix
ntivi
cafee
feste
linux
local
help@
panda
root@
sopho
google
free-av
nobody@
noreply
support
samples
listserv
icrosoft
postmaster@
@messagelab
@microsoft

This worm first appeared on 9th August, 2004.

Other names of W32/Bagle.AQ Worm:

This Worm is also known as W32/Bagle.aq@MM, W32/Bagle-AQ, W32.Beagle.AO@mm, WORM_BAGLE.AC, Win32.Bagle.AG.

Click here to download a 30 day Evaluation Copy of
Protector Plus for your operating system

About Protector Plus Antivirus Software Packages:

Proland Software is the developer of Protector Plus range of antivirus software packages. Protector Plus 2007 is available for Windows Vista, Windows 95/98/Me, Windows XP, Windows NT/2000/2003 servers and workstations, MS-Exchange 2000/2003, MS-DOS and NetWare servers.

New:
SpamChoke Antispam Software
Download Now!

Protector Plus range of antivirus products offer on-line virus detection and removal. All the packages have the ability to detect and isolate all types of viruses, trojans, worms and other types of malware. Protector Plus antivirus software can detect and remove W32/Bagle.AQ worm reliably.

These products are updated on a continuous basis and the latest upgrades for all the platforms are made available for downloading from this site.

Click here to order
Protector Plus Antivirus software