From; Sophos Alert System: Name: W32/Bagle-W Aliases: W32/Bagle.z@MM, Win32/Bagle.X Type: Win32 worm Date: 27 April 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus. Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update. Sophos has received several reports of this worm from the wild. Note: This IDE is being updated to improve detection. Information about W32/Bagle-W can be found at: http://www.sophos.com/virusinfo/analyses/w32baglew.html Description W32/Bagle-W is a member of the W32/Bagle family of worms. When first run W32/Bagle-W will display a fake error message containing the text "Can't find a viewer associated with the file". W32/Bagle-W copies itself to the Windows system folder with the filename drvsys.exe and then runs the worm from that location. The following registry entry is created so that the worm is run when a user logs on to Windows: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ drvsys.exe = drvsys.exe W32/Bagle-W recursively scans all fixed drives for WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM and JSP files and then extracts email addresses from these files to be used for the mass mailing component of the worm. The email sent by the worm will have the following characteristics: Subject line may contain the following text: Hello! Hey! Let's socialize, my friend! Let's talk, my friend! I'm bored with this life Notify from a known person ;-) I like you I just need a friend I'm a sad girl... Re: Msg reply Re: Hello Re: Yahoo! Re: Thank you! Re: Thanks :) RE: Text message Re: Document Incoming message Re: Incoming Message Re: Incoming Fax Hidden message Fax Message Received Protected message RE: Protected message Forum notify Request response Site changes Encrypted Document Message text may contain any of the following messages: I Like You! Don't you remember me? Kewl :-) I need a friend... I just want to talk with someone... I like reading the books and socializing, let me talk with you... It's time to find a friend! Ready to accept a new friend? :-) Like me, odore me! I study at school, I like to spend time cheerfully even if not all so well, I hompe and trust, that all bad when nibud will pass and necessarily nastanet there would be a desire. I like to feel protected, to understand, that near to me the man, which both in sex, and in life knows what to do. It is possible to fall in love with such the man for ever. Cometime I write a poem, play the gitar. I love a traveling, I like a romantice and I want to meet, comeday, my big love I am kind, fair, careful, gentle also want to create family. I love animal (cats, dogs), the literature, theatre, cinema, music, walks in park. I have recently got demobilize from army and also I am going' to act in a higher educational institution Searching for the right person,for real man, who will really cares and love me. I am a honest, kind,loving,with good sense of humor...etc.,looking for true love... or maybe for pen friend. I am looking for a serious relationship. I am NOT interested in flirt and short-term love adventure. I love, as the good company, and I dream about romantic appointment at candles with loved. I still believe in love. I'm a young lady of 20 years old i'd like to find my second part!!! I am simple girl who are looking for serious relation with responsible and confident man. I am ready to give all my love' and carering for a right person who is going to love and respect me I am a beautiful, sexual girl with very big ambitions and dreams. I can make happy anyone man... I am a student. I'm studying international relationships. I would like to find an interesting and active man for serious relations. Sitting at home it is not for me. I like to go out to the theater, cinema, and nightclubs. I'm so bored, let me talk with you... You are my prince :-) You are cool :-) Read the attach. Your file is attached. More info is in attach See attach. Please, have a look at the attached file. See the attached file for details. Message is in attach Here is the file. For more information see the attached file. Attached file will tell you everything. For details see the attach. Attached file tells everything. Further details are in attach. There may be two attached files one is a jpeg file that contains a picture of a woman and the other is a copy of the worm. The worm will create the following copies of itself in folders on the infected system that contain the string "shar" in their name: Microsoft Office 2003 Crack, Working!.exe Microsoft Windows XP, WinXP Crack, working Keygen.exe Microsoft Office XP working Crack, Keygen.exe Porno, sex, oral, anal cool, awesome!!.exe Porno Screensaver.scr Serials.txt.exe KAV 5.0 Kaspersky Antivirus 5.0 Porno pics arhive, xxx.exe Windows Sourcecode update.doc.exe Ahead Nero 7.exe Windown Longhorn Beta Leak.exe Opera 8 New!.exe XXX hardcore images.exe WinAmp 6 New!.exe WinAmp 5 Pro Keygen Crack Update.exe Adobe Photoshop 9 full.exe Matrix 3 Revolution English Subtitles.exe ACDSee 9.exe Recovery Please follow the instructions for removing worms. Download the IDE file from: http://www.sophos.com/downloads/ide/Bagle-W.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member