Win32.Bagle.bo Jun 1, 2005
Aliases:	Win32.Bagle.bp
Type:	Mass Mailing E-mail Worm
Description:	This worm is almost identical to Bagle.bj and some versions of worms which are detected as Bagle.pac. Bagle.bo has been widely spammed, as an attachment to infected messages. Infected messages either have an empty message subject and an empty message body, or contain random text. The attachment name is also randomly generated. The ZIP attachment, which is approximately 17KB in size, contains the body of the worm. The worm has several components, all of which are detected as Email-Worm.Win32.Bagle.bo by anti-virus software When installing itself on the victim machine, the worm creates files named “winhost.exe” and “wiwshost.exe”: %System%\winshost.exe %System%\wiwshost.exe It also adds the following registry keys to ensure it will be executed when Windows is started: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "winshost.exe" = "%System%\winshost.exe" Payload Bagle.bo alters the %System%\drivers\etc\hosts so that users of the infected machines will be unable to access the websites of the following companies: Kaspersky Symantec Trend Micro McAfee Sophos F-Secure AVP Computer Associates Microsoft This in effect, will stop your anti-virus program from being able to access the websites in order to update itself. This would mean the program will be unable to clear the infected machine and will keep on propagating the virus.
Solution:	If you have been infected already the best idea would be to get your machine scanned either via a network scanning anti-virus or even removing the hard drive and let a professional computer technician scan the hard drive for you. If you have not been infected yet, it is always a good practice to keep your anti-virus software up to date, keep your Windows operating system up to date and most of all, practice good computer security by NOT opening strange attachments that you do not recognize.

BACK