Request Services
  Data Systems Services
  About Data Systems
  News & Announcements
 
Virus Alert
Virus Hoaxes
  Quick Links
  Classroom Reservations
  Equipment Reservations
  Software Downloads
 
Data Systems Only! (Password Protected)
  Live Remote Assistance
 


W32/Bagle.aq@MM

08/10/04 - W32/Bagle.aq@MM spreads via e-mail. It follows the routine below:

This is a mass-mailing worm which has the following characteristics:

contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
attachment is a zip file, which contains an EXE and HTML file
contains a remote access component (notification is sent to hacker)
copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

The worm sends out a ZIP file which contains an HTML and EXE file. The EXE file is within a folder in the ZIP file so that when it's viewed with Explorer (rather than a stand-alone ZIP file handler like WinZip or PKzip) the HTML file and a separate folder is what is visible.

The HTML file contains exploit code which, on vulnerable systems, will automatically run the EXE file which is a downloader trojan. The downloader trojan then contacts a large number of remote websites to retrieve the virus itself.

Mail Propagation

The virus which is downloaded contains the propagation code. The details are as follows:

From : (address is spoofed)
Subject : (blank)

Body Text:

new price
There is indication in the file that it may also try to password-protect some ZIP files, in which case it will add one of the following to the message body:

The password is
Password:
The password will then be contained in an embedded image file.

Attachment: (may be one of the following)

price.zip
price2.zip
price_new.zip
price_08.zip
08_price.zip
newprice.zip
new_price.zip
new__price.zip
The ZIP file contains PRICE.EXE and PRICE.HTML, as described above.

If the ZIP file is opened with Windows Explorer (rather than a stand-alone ZIP handler such as WinZip or PKzip) the HTML file will be visible along with a folder which contains the EXE file. When the HTML file is run on a vulnerable system, it will run the EXE file.

More info on this worm:
http://vil.nai.com/vil/content/v_127423.htm

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_127423.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger

Back to the top