-- Update June 21, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
This is a mass-mailing virus that spreads in a password protected zip file. Along with the ZIP file, an image containing the password for the ZIP is also attached to infectious messages. Users must take that password and use it to open the ZIP file and then manually execute the .EXE file within. That EXE file is proactively detected as New Malware.b with released DAT files. The same virus variant exists in packed form. That package is proactively detected as W32/Bagle.dldr with released DAT files.
- Update 6/20/2006 -
This Bagle variant has been discovered in packed and never-packed forms today. The never-packed version is proactively detected as W32/Bagle.dldr
This is a mass-mailing worm with the following characteristics:
The details are as follows:
From : (address is spoofed)
These are all followed by the image from the included GIF file.
It may also include one of the following two additional phrases, before the password:
Attachment: (will contain a randomly named EXE and GIF file)
The virus copies itself as HIDN.EXE to the following directory:
It also creates a rootkit to hide directories (and all files within them) which contain the word shared:
It also creates a copy of its ZIP file locally, and a fake error message:
The error message appears as follows
A registry key is created to run itself again upon system startup:
Additionally, the following Registry keys are added:
It deletes the following registry entry, to disable Safe Boot:
This worm attempts to terminate services of security programs with the the following filenames:
The worm uses the following list to stop running processes:
It also prevents the following list of files from running:
This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:
The virus spoofs the sender address by using a harvested address in the From: field.
The virus avoids sending itself to addresses containing the following:
Email Adress Harvesting Component
Email addresses harvested from infected machines are uploaded to a page at the following sites.
It also tries to download a file from the following list of sites:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
But in some particular cases, the following steps need to be taken.
Please go to the Microsoft Recovery Console and restore a clean MBR.
On Windows XP:
On Windows Vista and 7: