Searching
..

Click anywhere to stop

Email-Worm.Win32.Bagle

Detect Date 11/07/2005
Class Email-Worm
Platform Win32
Description

The worm contains a list of URLs, which will be checked for the presence of files:

http://5050clothing.com***



http://axelero.hu***



http://calamarco.com***



http://ceramax.co.kr***



http://charlesspaans.com***



http://chatsk.wz.cz***



http://checkalertusa.com***



http://cibernegocios.com.ar***



http://cof666.shockonline.net***



http://comaxtechnologies.net***



http://concellodesandias.com***



http://dev.jintek.com***



http://dogoodesign.ch***



http://donchef.com***



http://erich-kaestner-schule-donaueschingen.de***



http://foxvcoin.com***



http://grupdogus.de***



http://hotchillishop.de***



http://ilikesimple.com***



http://innovation.ojom.net***



http://kisalfold.com***



http://knickimbit.de***



http://kremz.ru***



http://massgroup.de***



http://poliklinika-vajnorska.sk***



http://prime.gushi.org***



http://svatba.viskot.cz***



http://systemforex.de***



http://uwua132.org***



http://vanvakfi.com***



http://vega-sps.com***



http://vidus.ru***



http://viralstrategies.com***



http://Vivamodelhobby.com***



http://vkinfotech.com***



http://vproinc.com***



http://v-v-kopretiny.ic.cz***



http://vytukas.com***



http://waisenhaus-kenya.ch***



http://watsrisuphan.org***



http://wbecanada.com***



http://web-comp.hu***



http://webfull.com***



http://welvo.com***



http://wvpilots.org***



http://www.ag.ohio-state.edu***



http://www.ag.ohio-state.edu***



http://www.chapisteriadaniel.com***



http://www.chittychat.com***



http://www.cort.ru***



http://www.crfj.com***



http://www.kersten.de***



http://www.kljbwadersloh.de***



http://www.voov.de***



http://www.walsch.de***



http://www.wchat.cz***



http://www.wg-aufbau-bautzen.de***



http://www.wzhuate.com***



http://xotravel.ru***



http://yeniguntugla.com***



http://zebrachina.net***



http://zsnabreznaknm.sk***

If a file is found at any of these addresses, it will be downloaded to the victim machine:

%System%re_file.exe

The file will then be launched for execution.

For example Email-Worm.Win32.Bagle.at:

  1. Reboot your machine in Safe Mode – Press and hold F8 while the machine is rebooting and choose Safe Mode from the menu when it appears.
  2. Delete the following files from Windows system folder:
  3. wingo.exe
    
    
    
    wingo.exeopen 
    
    
    
    wingo.exeopenopen
  4. Delete the following key from the Windows System Registry:
  5. [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
    
    
    
     "wingo"="%system%wingo.exe"
  6. Reboot the computer and make sure that you have removed all infected emails from all folders in your email client.
Find out the statistics of the threats spreading in your region