Sophos name: W32/Bagle-AQ
http://www.sophos.com/virusinfo/analyses/w32bagleaq.html

W32/Bagle-AQ spreads as an email with a blank subject line and the following characteristics:

Message text:
new price

Attached file:
price.zip
price2.zip
price_new.zip
price_08.zip
08_price.zip
newprice.zip
new_price.zip
or
new__price.zip

The ZIP file contains two files, price.html and price.exe.
Price.html is detected by Sophos Anti-Virus as JS/IllWill-A. Price.html runs price.exe.

Price.exe is a downloader component.
Price.exe copies itself to the Windows system folder as WINdirect.exe and adds the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe

Price.exe creates a file named _dll.exe in the Windows system folder and runs it. _dll.exe attempts to download a copy of W32/Bagle-AQ from a number of web sites. If the download is successful _dll.exe will run the downloaded copy of W32/Bagle-AQ. The download is repeated every 10 hours.

_dll.exe will terminate the following processes:

FIREWALL.EXE
ATUPDATER.EXE
winxp.exe
sys_xp.exe
sysxp.exe
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE

W32/Bagle-AQ creates a copy of itself in the Windows system folder as windll.exe and adds the registry entry :

HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n\erthgdr

W32/Bagle-AQ copies itself to folders with the string 'shar' in the folder name as the following files:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

W32/Bagle-AQ searches for email addresses in files on the local hard disk.
The worm searches in files with the extensions WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM and JSP.

W32/Bagle-AQ does not send email to addresses containing the following strings:

@eerswqe
@derewrdgrs
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

This IDE file also includes detection for:

JS/IllWill-A
http://www.sophos.com/virusinfo/analyses/jsillwilla.html

See also;
McAfee: W32/Bagle.aq@MM - Medium Risk
http://vil.nai.com/vil/content/v_127423.htm
FreeScan checks for W32/Bagle.aq@MM.
Scan now:
http://us.mcafee.com/root/campaign.asp?cid=11414

Secunia
http://secunia.com/virus_information/11118/
Symantec W32.Evaman.C@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.evaman.c@mm.html

Category: Win32
Also known as: JS.Bagle.AG, Win32/Bagle.AG.Worm, W32/Bagle.AJ@mm (F-Secure), I-Worm.Bagle.al (Kaspersky), W32/Bagle.aq@MM (McAfee), W32.Beagle.AO@mm(Symantec), JScript/IE.VM.Exploit, Win32/WDirect.DLL.Worm, Win32/WDirect.DLL.Worm, Win32/WDirect.Trojan

REMOVER:
http://securityresponse.symantec.com/avcenter/venc/data/w32.evaman.c.removal.tool.html

Back To MYTECH

To VIRUS INFO START
To Mike's VIRUS INFO Page 2
To Mike's VIRUS INFO HACKFIX TIPS Page 3
To HACKFIX PROGRAM UPDATES Page 4