This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Indication of Infection
Propagation via Mail:
The following files types are read by the worm in order to harvest email addresses from an infected system.
Constructs an email message with the following characteristics:
Gwd: Msg reply
Gwd: Hello :-)
Gwd: Thank you!
Gwd: Thanks :)
Gwd: Text message
Gwd: Incoming message
Gwd: Incoming Message
Gwd: Incoming Msg
Gwd: Message Notify
Gwd: Fax Message
Gwd: Protected message
Gwd: Forum notify
Gwd: Site changes
Gwd: crypted document
Ok. Read the attach.
Ok. Your file is attached.
Ok. More info is in attach
Ok. See attach.
Ok. Please, have a look at the attached file.
Ok. Your document is attached.
Ok. Please, read the document.
Ok. Attach tells everything.
Ok. Attached file tells everything.
Ok. Check attached file for details.
Ok. Check attached file.
Ok. Pay attention at the attach.
Ok. See the attached file for details.
Ok. Message is in attach
Ok. Here is the file.
(.com or .scr is used as the extension for worm)
The spammed attachment contains a copy of this worm and may also contain a "Description.txt" file containing the following string:
you've got them already
The worm does not send itself to addresses which contain any of the following strings:
Propagation via Peer-to-Peer Networks:
This worm also propagates by dropping a copy of itself in folders that contain the string "shar" in their names. It uses the following file names for its dropped copy:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
Creates the following mutexes to prevent NETSKY variants from executing.
This also ensures that only one instance of W32/Bagle.dq@MM can run on a computer at any time.
The following strings are found inside the worm body:
In a difficult world
In a nameless time
I want to survive
So, you will be mine!!
-- Bagle Author, 29.04.04, Germany.
Methods of Infection
W32/Bagle.dq@MM was mass spammed on February 03, 2006.
Email-Worm.Win32.Bagle.fk (Kaspersky), W32/Bagle-CF (Sophos), W32/Bagle.GT.worm (Panda), WORM_BAGLE.EF (Trend Micro)