Email-Worm.Win32.Bagle

Detect Date 11/07/2005
Class Email-Worm
Platform Win32
Description

The worm contains a list of URLs, which will be checked for the presence of files:

http://5050clothing.com***



http://axelero.hu***



http://calamarco.com***



http://ceramax.co.kr***



http://charlesspaans.com***



http://chatsk.wz.cz***



http://checkalertusa.com***



http://cibernegocios.com.ar***



http://cof666.shockonline.net***



http://comaxtechnologies.net***



http://concellodesandias.com***



http://dev.jintek.com***



http://dogoodesign.ch***



http://donchef.com***



http://erich-kaestner-schule-donaueschingen.de***



http://foxvcoin.com***



http://grupdogus.de***



http://hotchillishop.de***



http://ilikesimple.com***



http://innovation.ojom.net***



http://kisalfold.com***



http://knickimbit.de***



http://kremz.ru***



http://massgroup.de***



http://poliklinika-vajnorska.sk***



http://prime.gushi.org***



http://svatba.viskot.cz***



http://systemforex.de***



http://uwua132.org***



http://vanvakfi.com***



http://vega-sps.com***



http://vidus.ru***



http://viralstrategies.com***



http://Vivamodelhobby.com***



http://vkinfotech.com***



http://vproinc.com***



http://v-v-kopretiny.ic.cz***



http://vytukas.com***



http://waisenhaus-kenya.ch***



http://watsrisuphan.org***



http://wbecanada.com***



http://web-comp.hu***



http://webfull.com***



http://welvo.com***



http://wvpilots.org***



http://www.ag.ohio-state.edu***



http://www.ag.ohio-state.edu***



http://www.chapisteriadaniel.com***



http://www.chittychat.com***



http://www.cort.ru***



http://www.crfj.com***



http://www.kersten.de***



http://www.kljbwadersloh.de***



http://www.voov.de***



http://www.walsch.de***



http://www.wchat.cz***



http://www.wg-aufbau-bautzen.de***



http://www.wzhuate.com***



http://xotravel.ru***



http://yeniguntugla.com***



http://zebrachina.net***



http://zsnabreznaknm.sk***

If a file is found at any of these addresses, it will be downloaded to the victim machine:

%System%re_file.exe

The file will then be launched for execution.

For example Email-Worm.Win32.Bagle.at:

  1. Reboot your machine in Safe Mode – Press and hold F8 while the machine is rebooting and choose Safe Mode from the menu when it appears.
  2. Delete the following files from Windows system folder:
  3. wingo.exe
    
    
    
    wingo.exeopen 
    
    
    
    wingo.exeopenopen
  4. Delete the following key from the Windows System Registry:
  5. [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
    
    
    
     "wingo"="%system%wingo.exe"
  6. Reboot the computer and make sure that you have removed all infected emails from all folders in your email client.