The subject of the infected email will be any one of the following;
Let's talk, my friend!
Site changes
Request response
Notify from a known person ;-)
RE: Protected message
Hidden message
Re: Yahoo!
Encrypted Document
Re: Thank you!
Hello!
Re: Msg reply
Incoming message
Re: Incoming Fax
Re: Hello
I just need a friend
Re: Document
RE: Text message
Protected message
Let's socialize, my friend!
Re: Incoming Message
I'm bored with this life
Re: Thanks :)
I like you
Hey!
Forum notify
Fax Message Received
I'm a sad girl...
The body of the infected email will be randomly generated by the worm.
The infected email carries two attachments.
1)Contains a picture of a girl in .jpg format.
2)Contains the worm file with any one of the following extension;
.zip
.vbs
.scr
.hta
.exe
.cpl
.com
Upon execution of the infected attachment. The worm displays a fake dialog box with a message, "Can't find a viewer associated with the file". It drops the following files in Windows System folder;
drvsys.exe
drvsys.exeopen
drvsys.exeopenopen
It also checks for a word 'shar' in the available shared folders in both local and network, if found the worm copies itself to these folders using the following filenames;
XXX hardcore images.exe
Windows Sourcecode update.doc.exe
Windown Longhorn Beta Leak.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Serials.txt.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Opera 8 New!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Office 2003 Crack, Working!.exe
Matrix 3 Revolution English Subtitles.exe
Kaspersky Antivirus 5.0
KAV 5.0
Ahead Nero 7.exe
Adobe Photoshop 9 full.exe
The worm opens port 2535 to allow access to the infected system.
It alters the windows registry at the following location to load itself during next startup;
Driver Search
Information about the W32/Bagle.Z Worm
