Citation :
As of April 28, 2004 4:46 AM PST, TrendLabs has received several infection reports of this BAGLE variant spreading in the US. This memory-resident worm spreads via email and network shares. Upon execution, it drops a copy of itself using the following file names in the Windows system folder: DRVDDLL.EXE DRVDDLL.EXEOPEN DRVDDLL.EXEOPENOPEN It uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate. The email it sends out contains the following details: Subject: (any of the following) ·Changes.. ·Fax Message Received ·Forum notify ·Hidden message ·Incoming message ·New changes ·Notification ·Protected message ·Re: Document ·Re: Hello ·Re: Hi ·Re: Incoming Message ·RE: Incoming Msg ·RE: Message Notify ·Re: Msg reply ·RE: Protected message ·RE: Text message ·Re: Thank you! ·Re: Thanks ·Re: Yahoo! ·Site changes Message body: (any of the following) ·For security reasons attached file is password protected. The password is <jpeg password> ·For security purposes the attached file is password protected. Password -- <jpeg password> ·Note: Use password to open archive. ·Attached file is protected with the password for security reasons. Password is <jpeg password> ·In order to read the attach you have to use the following password: <jpeg password> ·Archive password: <jpeg password> ·Password - <jpeg password> ·Password: <jpeg password> (Note: <jpeg password> is the password of the zip password protected file in attached in the email and displays it in jpeg format.) Attachment: (any of the following) ·Alive_condom ·Counter_strike ·Details ·Details ·Document ·Half_Live ·I_search_for_you ·Information ·Loves_money ·Manufacture ·Message ·MoreInfo ·Nervous_illnesses ·Readme ·Smoke ·text_document ·the_message ·the_message ·You_are_dismissed ·You_will_answer_to_me ·Your_complaint ·Your_money The attachment can have any of the following extension names: ·COM ·CPL ·EXE ·HTA ·SCR ·VBS ·ZIP
|