F Secure have received a new Bagle mass-mailer. This Bagle mass-mailer first appeared on February 9th, 2006. It spreads in e-mails sometimes pretending to be an antivirus definition file from Symantec. The worm also spreads to shared folders. In addition it drops a trojan downloader.
F Secure detect this new mass mailer as W32/Bagle.FM@mm.
When the worm’s file is started it displays a fake error messagebox:
Can’t find a viewer associated with the file.
The worm can send several different messages. The following text can be used in subject line ( %number% stands for a randomly generated number):
Your Receipt %number%-%number%
Order reminder: ID %number%
Billing department, order %number%-%number%
When the worm scans a hard drive, it looks for folders that have ‘shar’ substring in their names. If such folder is found, the worm copies itself to that folder with the following names:
anna benson sex video.exe
kate beckinsale nude pictures.exe
jenna elfman sex anal deepthroat
miss america Porno, sex, oral, anal cool, awesome!!.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
paris hilton Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 10.exe
Windown Vista Beta Leak.exe
IE beta 7.exe
Serials 2005 database.exe
XXX hardcore images.exe
Adobe Photoshop 9 full.exe
The worm also drops a file named winresw.exe to Windows folder and starts it. This file is a trojan downloader that downloads and runs files from Internet.
Also the worm starts a backdoor on port 6777. The backdoor allows to update the worm’s file from Internet.