W32/Bagle.BY Worm

 Information about the W32/Bagle.BY Worm:

W32/Bagle.BY is an email worm. The worm will infect Windows systems. The worm spreads through email and network. The worm also has a backdoor function, which opens a TCP port.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be blank.

The body of the infected mail will be any one of the following:

Annes
Alice
Alyce
Avice
Andrew
Androw
Androwe
Anthonie
Anthony
Anthonye
Bennet
Bennett
Cybil
Christean
Christian
Constance
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmund
Edward
Edwarde
Edmonde
Elizabeth
Elizabethe
Ellen
Ellyn
Emanual
Emanuel
Emanuell
Ester
Frances
Francis
Fraunces
Gabriell
Geoffraie
George
Grace
Happy New Year
Harry
Harrye
Henrie
Henry
Henrye
Hughe
Humphrey
Humphrie
Isabel
Isabell
James
Jeames
Jeffrey
Jeffrye
Joane
Johen
Josias
Judeth
Judith
Judithe
Katherine
Katheryne
Leonard
Leonarde
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Marie
Martha
Marye
Michael
Mychaell
Nathaniel
Nathaniell
Nathanyell
New 2006
New Year's
New Year's Day.
Nicholas
Nicholaus
Nycholas
Password:
Peter
Ralph
Rebecka
Richard
Richarde
Robert
Roberte
Roger
Rycharde
Samuell
Sidney
Sindony
Stephen
Susan
Susanna
Suzanna
Sybell
Sybyll
Syndony
Text
The password is
Thomas
Valentyne
We congratulate happy New Year
William
Winifred
Wynefrede
Wynefreed
Wynnefreede

The infected attachment will be any one of the following;

Annes.zip
Alice.zip
Alyce.zip
Avice.zip
Andrew.zip
Androw.zip
Androwe.zip
Anthonie.zip
Anthony.zip
Anthonye.zip
Bennet.zip
Bennett.zip
Cybil.zip
Christean.zip
Christian.zip
Constance.zip
Daniel.zip
Danyell.zip
Dorithie.zip
Dorothee.zip
Dorothy.zip
Edmond.zip
Edmund.zip
Edward.zip
Edwarde.zip
Edmonde.zip
Elizabeth.zip
Elizabethe.zip
Ellen.zip
Ellyn.zip
Emanual.zip
Emanuel.zip
Emanuell.zip
Ester.zip
Frances.zip
Francis.zip
Fraunces.zip
Gabriell.zip
Geoffraie.zip
George.zip
Grace.zip
Happy New Year.zip
Harry.zip
Harrye.zip
Henrie.zip
Henry.zip
Henrye.zip
Hughe.zip
Humphrey.zip
Humphrie.zip
Isabel.zip
Isabell.zip
James.zip
Jeames.zip
Jeffrey.zip
Jeffrye.zip
Joane.zip
Johen.zip
Josias.zip
Judeth.zip
Judith.zip
Judithe.zip
Katherine.zip
Katheryne.zip
Leonard.zip
Leonarde.zip
Margaret.zip
Margarett.zip
Margerie.zip
Margerye.zip
Margret.zip
Margrett.zip
Marie.zip
Martha.zip
Marye.zip
Michael.zip
Mychaell.zip
Nathaniel.zip
Nathaniell.zip
Nathanyell.zip
New 2006.zip
New Year's.zip
New Year's Day..zip
Nicholas.zip
Nicholaus.zip
Nycholas.zip
Password:.zip
Peter.zip
Ralph.zip
Rebecka.zip
Richard.zip
Richarde.zip
Robert.zip
Roberte.zip
Roger.zip
Rycharde.zip
Samuell.zip
Sidney.zip
Sindony.zip
Stephen.zip
Susan.zip
Susanna.zip
Suzanna.zip
Sybell.zip
Sybyll.zip
Syndony.zip
Text.zip
The password is.zip
Thomas.zip
Valentyne.zip
We congratulate happy New Year.zip
William.zip
Winifred.zip
Wynefrede.zip
Wynefreed.zip
Wynnefreede.zip

Upon execution, the worm copies itself as WIND2LL2.EXE in the Windows system folder.

The worm creates the registry entries at the following location.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n

The worm tries to connect to the following websites and download a file.

http://[blocked]/1/w3eb.php
http://[blocked]/images/w3eb.php
http://[blocked]/help/w3eb.php
http://[blocked]/1/w3eb.php
http://[blocked]/1/w3eb.php
http://[blocked]/images/w3eb.php
http://[blocked]/1/w3eb.php
http://[blocked]/1/w3eb.php

It saves the downloaded file as eml.exe in Windows folder.

It also creates several mutex to ensure only one instance of the worm is running. It also terminates some variants of W32/Netsky.

'D'r'o'p'p'e'd'S'k'y'N'e't'
[SkyNet.cz]SystemsMutex
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
____--->>>>U<<<<--____
AdmSkynetJklS003
vMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D

Its backdoor capabilities can also set up the infected system as a Web server, to which a remote user can upload or download a possibly malicious file.

This worm first appeared on December 25, 2005..

 Other names of W32/Bagle.BY Worm:

This Worm is also known as WORM_BAGLE.BY.