W32/Bagle.CL Worm

 Information about the W32/Bagle.CL Worm:

W32/Bagle.CL is a worm. The worm will infect Windows systems and spreads through email and Network Shares.

The subject of the infected mail will be any one of the following;

Delivery by mail
Delivery service mail
Is delivered mail
You are made active
Price
Registration is accepted

The body of the infected mail will be any one of the following;

Before use read the help
Thanks for use of our software.
February price

The infected attachment will be any one of the following;

zupd02.zip
wsd01.zip
viupd02.zip
upd02.zip
siupd02.zip
pricelist.zip
price.zip
new_price.zip
Jol03.zip
guupd02.zip
February_price.zip
21_price.zip

Upon execution of the infected attachment, the worm copies itself as SYSFORMAT.EXE in Windows System folder.

The worm modifies registry at the following location to load itself during each startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

It searches the network for shared folders with the shar and copies itself as any one of the following;

XXX hardcore images.exe
Windown Longhorn Beta Leak.exe
WinAmp 6 New!.exe
Opera 8 New!.exe
Matrix 3 Revolution English Subtitles.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
8.exe
ACDSee 9.exe
9.exe
7.exe
6.exe
5.scr
4.exe
3.exe
2.exe
10.exe
1.exe

To propagate itself, the worm scans the files having the following extensions and collects all the available email addresses from the infected system.

.dhtm and .shtm

The worm mails itself to these addresses using its own SMTP engine.

This worm first appeared on February 2, 2006.

 Other names of W32/Bagle.CL Worm:

This Worm is also known as WORM_BAGLE.CL .