MoSo Anti-Malware Offical Site,Spyware Seizer is MoSo Anti-Malware|Remove Worm.Bagle.fj

Product

Virus Alert:

Worm.Bagle.fj:

Summary:

This is a mass downloader malware. It arrives in the form of an archive which contains two files: an executable and an other one containing random characters. The executable has a similar icon with a text document and when first executed it copies itself in the system directory with the name sysformat.exe and then launches notepad.exe.

It drops a hosts file in the System32Drivers subdirectory of the windows directory of size 1,771 which disables the access to certain anti-virus related sites. This can result in the anti-virus beeing unable to perform an update.

File:

It copies itself to the following location:
%SYSDIR%\windspl.exe

It copies itself to the following locations. Those files have random bytes appended so they may differ from the original one:
%SYSDIR%\windspl.exe
%SYSDIR%\sysformat.exe

The following file is created:

– %WINDIR%\regisp32.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.

It disables the built-in firewall and security center on machines running Windows XP Service Pack 2. kills several security (anti-virus and firewall) products.tries to download files from a predefined list of sites and to execute them.

It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

Email:

From:
The sender address is spoofed.

To:
–?Email addresses found in specific files on the system.

Subject:
One of the following:
Gwd: Msg reply; Gwd: Hello :-); Gwd: Yahoo!!!; Gwd: Thank you!; Gwd:
Thanks :); Gwd: Text message; Gwd: Document; Gwd: Incoming message;
Gwd: Incoming Message; Gwd: Incoming Msg; Gwd: Message Notify; Gwd:
Notification; Gwd: Changes..; Gwd: Update; Gwd: Fax Message; Gwd:
Protected message; Gwd: Protected message; Gwd: Forum notify; Gwd:
Site changes; Gwd: Hi; Gwd: crypted document

Body:
The body of the email is one of the lines:
Ok. Read the attach.
Ok. Your file is attached.
Ok. More info is in attach
Ok. See attach.
Ok. Please, have a look at the attached file.
Ok. Your document is attached.
Ok. Please, read the document.
Ok. Attach tells everything.
Ok. Attached file tells everything.
Ok. Check attached file for details.
Ok. Check attached file.
Ok. Pay attention at the attach.
Ok. See the attached file for details.
Ok. Message is in attach
Ok. Here is the file.

Attachment:
The filenames of the attachments is constructed out of the following:

–? It starts with one of the following:
www.cumonherface
Details
XXX_livebabes
XXX_PornoUpdates
xxxporno
fuck_her
Info
Common
MoreInfo
Message

The file extension is one of the following:
.exe
.scr
.com
.zip
.vbs
.hta
.cpl

Recommendation

Update your MoSo Anti-Malware to the latest version and perform a full scan of your computer. Enable Auto-Protect ability when connecting to internet, MoSo Anti-Malware can protect your system against malicious threat.