Aliases: Email-Worm.Win32.Bagle.fg, W32/Bagle.gen@MM, TR/Dldr.Bagle.FO.3, Troj/BagleDl-BJ
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Moderate
Geographical info: North America, South America, Asia, Europe, some parts of Africa and Australia
Removal: Easy
Platform: W32
Discovered: 26 Jan 2006
Damage: Medium

Characteristics: The W32.Imav.A worm is capable of propagating via sending infected ICQ messages that have links to it duplicates. This security risk may also infect a vulnerable computer system via an infected downloaded file from unknown websites or as an infected attachment to spam messages from unknown senders. It is likewise known to turn off security associated applications and may arrive in the target system in the form of a .zip file.

More details about W32.Imav.A

When run in the compromised machine, the W32.Imav.A will create an executable file. It will also drop and open an image file with the name having 2 arbitrary characters and with the .jpg file extension utilizing the default image viewer of the compromised machine. While in the background, the worm creates duplicates of itself with the .exe extension. It allegedly opens the image viewer to mask the routines it is carrying out in the background. It will also add some values to registry keys to serve as its infection marker and so that it may execute every time Windows boots. It then disables or renames several security related services currently running in the system. The W32.Imav.A worm may also delete several files on folders in the system’s available fixed drives. It will also delete some security related registry subkeys that will result in the system’s decreased security settings.

The W32.Imav.A worm then goes on to apply filters to every IP adapter interface in order to block access to most security related sites. It does not however overwrite the hosts file in order to block website access. Next, the security threat will retrieve an EXE file and execute it. This file will contain the worm dropper. It then connects to the ICQ website on 17940 TCP port and sends the infected ICQ messages with the link containing the worm’s duplicate. This malware is known to terminate the Windows Task Manager so you can opt to use third party process explorers to locate and terminate the malware’s running process.