W32/Bagle.Z Worm

 Information about the W32/Bagle.Z Worm:

W32/Bagle.Z is a mass mailing worm. The worm will infect Windows systems. This worm spreads through email and shared drives on the network.

The from address of infected email contains the recipient's <domain name> along with any one of the following user name.

christina@
secretGurl@
annie@
jessie@
ann@
christy@
lizie@

The subject of the infected email will be any one of the following;

Let's talk, my friend!
Site changes
Request response
Notify from a known person ;-)
RE: Protected message
Hidden message
Re: Yahoo!
Encrypted Document
Re: Thank you!
Hello!
Re: Msg reply
Incoming message
Re: Incoming Fax
Re: Hello
I just need a friend
Re: Document
RE: Text message
Protected message
Let's socialize, my friend!
Re: Incoming Message
I'm bored with this life
Re: Thanks :)
I like you
Hey!
Forum notify
Fax Message Received
I'm a sad girl...

The body of the infected email will be randomly generated by the worm.

The infected email carries two attachments.

1)Contains a picture of a girl in .jpg format.
2)Contains the worm file with any one of the following extension;

.zip
.vbs
.scr
.hta
.exe
.cpl
.com

Upon execution of the infected attachment. The worm displays a fake dialog box with a message, "Can't find a viewer associated with the file". It drops the following files in Windows System folder;

drvsys.exe
drvsys.exeopen
drvsys.exeopenopen

It also checks for a word 'shar' in the available shared folders in both local and network, if found the worm copies itself to these folders using the following filenames;

XXX hardcore images.exe
Windows Sourcecode update.doc.exe
Windown Longhorn Beta Leak.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Serials.txt.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Opera 8 New!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Office 2003 Crack, Working!.exe
Matrix 3 Revolution English Subtitles.exe
Kaspersky Antivirus 5.0
KAV 5.0
Ahead Nero 7.exe
Adobe Photoshop 9 full.exe

The worm opens port 2535 to allow access to the infected system.

It alters the windows registry at the following location to load itself during next startup;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also attempts to terminate processes related to antivirus and security related softwares.

To propagate itself, the worm scans the infected machine for the files having the following extensions and collects all the available email addresses;

.xml .xls .wsh .wab .uin .txt .tbb .stm .shtm .sht .pl .php .oft .ods .nch .msg .mmf .mht .mdx .mbx .jsp
.htm .eml .dhtm .dbx .cgi .cfg .asp .adb.

The worm uses its own SMTP engine to mail itself to these email addresses. The worm will terminate itself if system date is after January 25, 2005.

This worm first appeared on 26th April, 2004.

 Other names of W32/Bagle.Z Worm:

This Worm is also known as W32/Bagle.Z@MM, WORM_Bagle.X, W32.Beagle.W@mm, W32/Bagle.W@mm.