08/10/04 - W32/Bagle.ai@MM spreads via e-mail. It follows the routine below:

This is a mass-mailing worm with the following characteristics:

contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
attachment can be a password-protected zip file, with the password included in the message body.
contains a remote access component (notification is sent to hacker)
copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines
terminates processes of security programs and other worms
deletes registry entries of security programs and other worms

Mail Propagation

The details are as follows:

From : (address is spoofed)
Subject :

Re:
Body Text:

>foto3 and MP3
>fotogalary and Music
>fotoinfo
>Lovely animals
>Animals
>Predators
>The snake
>Screen and Music
The worm will add the following body text if the attachment is sent as a password-protected ZIP file.

Password: (random number)
Pass - (random number)
Key - (random number)

Attachment: (with extension .EXE, .SCR, .COM, .CPL or .ZIP)

MP3
Music_MP3
New_MP3_Player
Cool_MP3
Doll
Garry
Cat
Dog
Fish

Password-protected ZIP files may also contain a second, randomly-named file with one of the following extensions:

.ini
.cfg
.txt
.doc
.vxd
.def
.dll

More info on this worm:
http://vil.nai.com/vil/content/v_126798.htm

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_126798.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger