I-Worm.Bagz.b, W32/[email protected]
, W32/Bagz-B, WORM_BAGZ.B
, W32/[email protected]
Category: Computer Worm
Active and Spreading
Asia, Europe, US, Africa, Australia
04 Oct 2004
The [email protected]
malware is a mass mailing worm with its own SMTP (Simple Mail Transfer Protocol) engine. It uses this engine for sending its code to email addresses harvested from a compromised machine.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
The [email protected]
worm is a variant of W32/[email protected]
It infects a computer system when an email attachment it has infected is opened in the system. The subject of these attachments usually ranges from normal subjects such as ‘eCards’ to alarming subjects such as failure notices. The message of the email usually indicates email problems or violations. The attachments can come in .zip or .exe files such as warning.zip and document.doc.exe. The addresses used by the worm were retrieved from the compromised system. The worm uses the file extensions .txt, .htm, .tbi, .tbb and dbx for harvesting email addresses. When the worm [email protected]
enters a system, it will drop files in the C:\ Windows\ System folder. Some of the names of these files have double extensions and spaces in between the .exe and .doc extension. In My Computer or Windows Explorer, files dropped by the malware having the .exe extension will usually be hidden.
This worm will also add certain values to the registry entry so that the worm will execute when Windows reboots. This security threat can deactivate the Windows Firewall and install a network driver to evade detection. It also opens up a backdoor and receives files. Other characteristics of the [email protected]
worm include its ability to overwrite the local hosts file to prevent some products from being updated correctly, disable or uninstall certain security products from the compromised machine, and construct messages through its own SMTP engine, attaching a copy of itself within a ZIP archive as an EXE file.