Virus Database

I-Worm.Bagle.t

Description I-Worm.Bagle.t

This new member of the Bagle family closely resembles it's predecessor, Bagle.s. Infected emails also have empty subjects and message bodies. In Bagle.t the attachment is 8208 bytes in size. Bagle.t is compressed by FSG and the unpacked file is about 37KB in size.
This e-mail worm is relatively simple compared to most of the other members in the Bagle family, leading to the suspicion it may have been written by a different group, with access to the Bagle sources.
Infected messages have the following characteristics:
Sender address:
random
Subject:
none
Body:
empty
Attachment name:
game
Attachment file type:
.exe
Installation
When executed, Bage.t copies itself in to the Windows system directory under the name "sysinfo.exe" and register itself to be run during system startup. It will also create a registry key named:
[HKEY_CURRENT_USERSOFTWAREWindows2005]
and register a backdoor on port 4751, which can be used to install new malware in the system.
Propagation
Just like Bagle.s, this variant will not spread if the system date is any year later than 2004.
During all of 2004 Bagle.t will begin to extract e-mail addresses from various files from the disk and start mailing itself to these. Targeted file extensions are: .wab .txt .msg .htm .shtm .stm .xml .dbx .mbx .mdx .eml .nch .mmf .ods .cfg .asp .php .wsh .adb .tbb .sht .xls .oft .uin .cgi .mht .dhtm .jsp.
While spreading, infected e-mails will not be sent to addresses containing '@avp.' and '@microsoft'.
Other
Bagle.t tries to report infections by accessing a URL on the site "www.werde.de" with some specific parameters which the virus-writer supposedly can later query. At the time of writing, the URL seems to have been taken down.
To mask the system infection under an apparent useful action, the worm will attempt to execute a file named dreder.exe, which doesn't exist by default in standard Windows installations.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.PBB

Description Macro.Word97.PBB

This virus spreads itself on documents opening and closing. On opening a document the virus checks the system date. If day number is less than 3, the virus hides mouse cursor and displays the message:
Created By Yusril Ihza Mahendra
PARTAI BULAN BINTANG

Another virus routine deletes all libraries (.DLL) files from Windows system folder if day number is greater than 25. This routine is executed on document opening, calling Visual Basic Editor and clicking "Tools/Macro" menu.
The virus body contains the text strings:
Macros Pbb mungkin tidak bisa Anda hapus, Anda hanya bisa menghapus makro
buatan Anda (Descr: 'Makro non-Pbb')
Terimakasih Anda Telah
Memproteksi Word dengan Aman

Macro.Word97.Peace

Description Macro.Word97.Peace

This virus contains two macros in module "peace": AutoOpen, helpabout. It replicates on documents opening. It disables the menu items "Tools/Macro" and "Tools/Templates and add-insall". On 1st of each month on entering the Help/About it displays the MessageBox:
Peace
Copy me I want to travel

Home