Citation :
As of April 28, 2004 4:46 AM PST, TrendLabs has received several infection reports of this BAGLE variant spreading in the US.
This memory-resident worm spreads via email and network shares. Upon execution, it drops a copy of itself using the following file names in the Windows system folder:
DRVDDLL.EXE
DRVDDLL.EXEOPEN
DRVDDLL.EXEOPENOPEN
It uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate. The email it sends out contains the following details:
Subject: (any of the following)
·Changes..
·Fax Message Received
·Forum notify
·Hidden message
·Incoming message
·New changes
·Notification
·Protected message
·Re: Document
·Re: Hello
·Re: Hi
·Re: Incoming Message
·RE: Incoming Msg
·RE: Message Notify
·Re: Msg reply
·RE: Protected message
·RE: Text message
·Re: Thank you!
·Re: Thanks 
·Re: Yahoo!
·Site changes
Message body: (any of the following)
·For security reasons attached file is password protected. The password is <jpeg password>
·For security purposes the attached file is password protected. Password -- <jpeg password>
·Note: Use password to open archive.
·Attached file is protected with the password for security reasons. Password is <jpeg password>
·In order to read the attach you have to use the following password: <jpeg password>
·Archive password: <jpeg password>
·Password - <jpeg password>
·Password: <jpeg password>
(Note: <jpeg password> is the password of the zip password protected file in attached in the email and displays it in jpeg format.)
Attachment: (any of the following)
·Alive_condom
·Counter_strike
·Details
·Details
·Document
·Half_Live
·I_search_for_you
·Information
·Loves_money
·Manufacture
·Message
·MoreInfo
·Nervous_illnesses
·Readme
·Smoke
·text_document
·the_message
·the_message
·You_are_dismissed
·You_will_answer_to_me
·Your_complaint
·Your_money
The attachment can have any of the following extension names:
·COM
·CPL
·EXE
·HTA
·SCR
·VBS
·ZIP
|
