Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Encyclopedia
GetVirusCard
True
0
Effects
Bagle.B carries out the following actions:
It displays the following error message on screen when it is run:
Infection strategy
Bagle.B creates the file AU.EXE in the Windows system directory. This file is a copy of the worm.
Bagle.B creates the following entries in the Windows Registry:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
au.exe = %sysdir%\ au.exe
where %sysdir% is the Windows system directory.
By creating this entry, Bagle.B ensures that it is run whenever Windows is started.
HKEY_CURRENT_USER\ Software\ Windows2000
frn = 1
By checking this entry, Bagle.B verifies if it has already affected the computer.
Means of transmission
Bagle.B spreads via e-mail. It follows the routine below:
It reaches the computer in an e-mail message that has the following characteristics:
Sender:
Bagle.B spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click
here.
Subject:
ID <random text 1>
... thanksMessage:
Yours <random text 2>
--
Thank
Attachments:
The file name is variable, but always has an
EXE extension. It has the following icon:
When the attached file is run, the computer is affected.
Bagle.B searches for e-mail addresses in files that have the following extensions: WAB, TXT, HTM and HTML.
It sends itself out to all the addresses it has gathered, excepting those which belong to the mail domains
@hotmail.com, @msn.com, @microsoft and
@avp, using its own
SMTP engine.
Further Details
Bagle.B is written in the Assembler language. This worm is 11,264 bytes in size when it is compressed with UPX v1.24, and 16,896 bytes in size once it is decompressed.
>