Welcome to the Virus Encyclopedia of Panda Security.
It listens to the port 1234 and waits for remote connections, notifies its author that the computer has been affected and eliminates entries belonging to other worms from the Windows Registry.
|First detected on:||July 4, 2004|
|Detection updated on:||July 6, 2004|
|Yes, using TruPrevent Technologies
|Country of origin:||GERMANY|
Bagle.AD is a worm that opens and listens to the TCP port 1234 waiting for remote connections. By doing so, Bagle.AD allows hackers to gain remote control over the affected computer in order to carry out malicious actions that would compromise user's confidentiality or impede normal work. This remote access feature will be active untill January 25, 2005.
Bagle.AD notifies its author that the computer has been affected through the opened port by connecting to a web site that hosts a PHP script.
In addition, Bagle.AD prevents certain worms, suchs as several variants of Netsky, from being executed whenever Windows is started. In order to do so, it eliminates the entries belonging to these worms from the Windows Registry.
Bagle.AD spreads via e-mail in a message with variable characteristics and through peer-to-peer file sharing programs (P2P).
Bagle.AD is easy to recognize once it has affected the computer, as it displays the following fake error message on screen: