Aliases: Win32.Wreckage.A, TROJ_YABE.B, Win32/Rechnung!Worm
Variants: W32/Bagle.AK-mm, W32/Bagle.gen.b@MM, W32/Bagle-AK, Trojan.Win32.Agent.jk

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 28 Sep 2005
Damage: Low

Characteristics: Belonging to a mass mailing Worm family, this malware makes use of Peer to Peer file sharing networks to deliver its infection to other computer systems. The payload delivery routine of the W32.Magflag.A@mm includes the capability download malicious files and execute them locally in the compromised machine. The source of the files that are downloaded are usually websites which are also under the control of the malicious author.

More details about W32.Magflag.A@mm

Aside from using Peer to Peer file sharing networks, this malware and some of its variants have the ability of using the email messaging service to spread its codes to other vulnerable computer systems. The W32.Magflag.A@mm is known for executing a legitimate operating system process and injecting its codes into the process. It will then terminate the authentic system process and takes it place. This routine allows the W32.Magflag.A@mm to mimic original system processes to avoid arousing user suspicion and avoiding detection of system monitoring tools. The W32.Magflag.A@mm will create an executable copy of itself into the directory folder of the operating system. It will attempt to mix with legitimate system files to conceal its presence and complicate its removal from the infected computer system.

The W32.Magflag.A@mm will modify the contents of the Windows Registry service by adding a new key value that will give it the functionality of automatically loading together with the operating system components. The Windows Registry will be used to bypass the active firewall protection system of the infected computer system. The W32.Magflag.A@mm will contact predetermined websites to cause the downloading and local execution of malicious files. The downloaded files are normally identified by their double file extension. The W32.Magflag.A@mm will harvest stored email addresses and target the remote systems by sending email messages with dangerous file attachments.