|
| |
|
Archive |
|
|
|
|
| Jan |
Feb |
Mar |
| Apr |
May |
Jun |
| Jul |
Aug |
Sep |
| Oct |
Nov |
|
|
Wonder what the current virus alert means for your computer? Find out more about our Virus Alerts Threat Levels.
|
|
The Kaspersky Lab website removal tools section provides free utilities for removing dangerous viruses during an epidemic.
|
|
Kaspersky Anti-Virus users can always find the latest virus definitions in the database updates on the Kaspersky website.
|
| | |
|
|
| |
Home / Viruses / Alerts
I-Worm.Bagle.a
01.18.04 14:09 GMT
| comment
Status : moderate risk
This is a worm which spreads via the Internet attached to infected emails. The worm itself is a Windows PE EXE file of about 15KB.
Contents of infected messages:
From: [random sender]
Subject: Hi
Body: Test =)
Signature: Test, yep
Attachment: [random name]
Installation
The worm is activated only when a user clicks on the attached file. Then the worm copies itself to the System directory under the name "bbeagle.exe" and registers this file in the system registry auto-run key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d3dupdate.exe" = "%system%\bbeagle.exe"
The worm runs the Windows application "calc.exe".
The worm attempts to connect to several remote sites related to TrojanProxy.Win32.Mitglieder.
Replication
The worm searches disk drives for files with the following extensions:
wab, txt, htm, html, r1
and scans them for email-like text strings, then sends infected messages to the email addresses found. The worm uses its own SMTP engine to send infected messages.
Backdoor function
The worm opens port 6777 to listen for commands. The backdoor function allows the attacker to download files and execute commands on the infected computer.
Other
If the system date is later than 28th January 2004, the worm will not have any effect.
| | |
|
