W32/Bagle.AD Worm

 Information about the W32/Bagle.AD Worm:

W32/Bagle.AD is a mass mailing worm. This worm infects Windows systems. The worm spreads through email and shared drives on the network.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected email will be any one of the following;

Re: Hi
Update
Re: Hello
Re: Yahoo!
Re: Document
Site changes
Re: Thanks :)
Re: Msg reply
Re: Thank you!
RE: Text message
RE: Incoming Msg
RE: Protected message
Re: Incoming Message
RE: Message Notify
Encrypted document
Protected message
Incoming message
Notification
Forum notify
Fax Message
Changes..

The body of the infected email will be the any one of the following;

See attach.
Read the attach.
Your file is attached.
Pay attention at the attach.
Please, read the document.
Your document is attached.
See the attached file for details.
Please, have a look at the attached file.
Check attached file for details.
Attached file tells everything.
Attach tells everything.
More info is in attach
Message is in attach
Check attached file.
Here is the file.

It carries any one of the following infected attachment;

Readme
Message
Updates
MoreInfo
text_document
Information
Document
Details
Info

The extension of the attachment may be any one of the following;

zip
exe
scr
com
cpl
hta
vbs

Upon execution of the attachment, the worm copies itself as LOADER_NAME.EXE in the Windows System folder. It drops LOADER_NAME.EXEOPEN and LOADER_NAME.EXEOPENOPEN which are copies of the worm.

It alters the windows registry at the following location to load itself during next startup;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also creates several mutex to ensure only one instance of the worm is running. It also terminates some variants of W32/Netsky.

• AdmSkynetJklS003
• [SkyNet.cz]SystemsMutex
• ____--->>>>U<<<<--____
• MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
• 'D'r'o'p'p'e'd'S'k'y'N'e't'
• _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
• _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

The worm also tries to terminate the processes of security related softwares.

To propagate itself, the worm scans the infected machine for the files having the following extensions and collects all the available email addresses;

.xml, .xls, .wsh, .wab, .uin, .txt, .tbb, .stm, .shtm, .sht, .pl, .php, .oft, .ods, .mbx, .jsp, .htm, .eml, .dhtm, .dbx, .nch, .msg, .mmf, .mht, .mdx, .cgi, .cfg, .asp, .adb.

The worm uses its own SMTP engine to mail itself to these email addresses.

This worm first appeared on 5th July, 2004.

 Other names of W32/Bagle.AD Worm:

This Worm is also known as W32/Bagle.ad@mm, WORM_BAGLE.AD, W32.Beagle.Y@mm.