[cut-n-paste from sophos.com]

W32/Bagle-A

Aliases
W32.Beagle.A{at}mm, Win32.Bbgle.A{at}mm

Type
Win32 worm

Detection
Sophos has received many reports of this worm from the wild.

Description
W32/Bagle-A is a worm that sends itself to addresses harvested from 
files on the hard disk. The worm spoofs the "From" field in emails it 
sends, which means that it may appear to have come from someone you 
know.

W32/Bagle-A arrives in an email with the following characteristics:

Subject line: Hi

Message text:
Test =)
[random characters]
--
Test, yep.

Attached file: .exe

The attached file may appear as a calculator icon. The worm deliberately 
launches the Calculator application as a disguise.

W32/Bagle-A copies itself to bbeagle.exe in the Windows system folder 
and sets the following registry entry to ensure the worm is run at 
logon:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe

The worm also sets the following registry entries:

HKCU\Software\Windows98\uid
HKCU\Software\Windows98\frun

W32/Bagle-A includes a backdoor component which listens on TCP port 
6777. This allows an attacker to upload and execute arbitrary programs 
on infected computers.

Note that W32/Bagle-A will not activate if the system date is 28 January 
2004 or later.





Troj/Proxin-A

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Proxin-A is a backdoor Trojan. When the Trojan is run on a victim's 
computer that computer will become vulnerable to unauthorised access 
attacks.

When the Trojan is first executed the following registry setting is 
created so that the Trojan is run when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Window Manager





VBS/Gaggle-B

Aliases
VBS/Gaggle.B, VBS/Gaggl.D, VBS.Gaggle.B{at}mm, VBS_GAGGLE.C

Type
Visual Basic Script worm

Detection
At the time of writing, Sophos has received just one report of this 
worm from the wild.

Description
VBS/Gaggle-B is an email and IRC worm.

In order to run automatically when Windows starts up VBS/Gaggle-B copies 
itself to the file Gaghiel.vbs in the Windows system folder and sets the 
following registry entries to point to this file:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Gaghiel
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Domain Manager\Gaghiel

The worm also drops the file Gaghiel.hta in the Windows startup folder 
and creates or overwrites the file wininit.ini in the Windows folder.

When run the VBS file will first check if the current day of the month 
is greater then twenty five, in which case the Internet Explorer start 
page will be changed to
http://www.gratisweb.com/machinedramon1/sachiel.scr.

The worm will also calculate the sum of the day of the month and the 
month of the year and display a message box if this sum is equal to 27.





W32/Flopcopy-A

Aliases
Win32.HLLW.VB.a, Win32/HLLW.VB.A, W32.HLLW.Flopcopy, WORM_FLOPCOPY.A

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Flopcopy-A is a simple worm that spreads by copying itself to the 
floppy disk if a disk is inserted into the floppy drive.

It is intended that the worm arrives on a floppy disk as recycle.exe 
(the file icon is identical to the Windows recycling bin icon). When 
the file is run W32/Flopcopy-A copies itself into the Windows system 
folder as service.exe and creates the following registry value so that 
the worm file runs during the Windows startup process:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SYS_CLEAN

W32/Flopcopy-A enumerates open windows and if the caption of the windows 
starts with the characters A: the worm attempts to copy itself to drive 
A: with the filename recycle.exe.

The message box will display the following Spanish text:
"Oracion antes de entrar al internet:
Satelite nuestro que estas & en el cielo,
Acelerado sea tu link,
Venga a nosotros tu hipertexto,
Hagase tu conexion en lo real como en lo virtual,
Danos hoy el download de cada dia,
Perdona el cafe en el Teclado,
Asi como nosotros perdonamos a nuestros proveedores,
No nos dejes caer la conexion,
Y libranos de todo Virus,
En nombre del Server, del Modem y del santo User-name.
Log-in.
GEDZAC LABS 2003
VBS/Gaghiel.C by MachineDramon
Hecho en el Perú, Calidad Mundial
Sachiel2015{at}latinmail.com, 15, Gaghiel."

VBS/Gaggle-B sends itself to all entries of the Windows address book 
and email addresses found in HTML, HTM, ASP or PHP files on the system. 
The worm uses one of the following subjects lines, message texts and 
attachment filenames when sending itself:

Subject lines:
Ouija Online
Espias del mas alla
Advertencia de Envio Spam
Registro
Investigacion

Message Texts:
Alguna vez tuviste curiosidad por saber los misterios de
la Ouija, ahora podras conocerlos e incluso jugarla en tu Pc
Mira el tablero interactivo que te enviamos, para obtener informacion
presiona el boton INFO o visita nuestro web: http://www.gratisweb.com/
machinedramon1/gaghiel.html

Has escuchado alguna vez de las psicofonias o videos psiquicos?
Visita nuestra web: http://www.gratisweb.com/machinedramon1/gaghiel.html
Escucha la voz de los muertos, (*$*)

Su Cuenta ha sido denunciada por el envio de Spam(Correo no Deseado).
De repetirse la situación se procederá a la clausura de su cuenta de e-mail.
Los detalles en el informe adjunto.
Atentamente Security IQEl S.A.

Su registro se ha realizado con exito, su nombre y clave de usuario
estan en el texto adjunto, así como las normas y derechos de cada usuario.
Su UserName y Clave son de uso personal y no deben ser revelados, el unico
responsable de ellos es usted
Atentamente Security IQEl S.A.

La investigación que solicitó, tardara aún en resolverse, los
resultados parciales los encontrara en el texto adjunto.
En 15 días le comunicaremos los resultados finales.
Atentamente Security IQEl S.A.

Attachment filenames:
OuijaTabler.hta
Psicofonia.hta
Informe2-p.hta
UserRegister.hta
InformeUFO.hta

The worm uses the registry entry HKCU\Software\Gedzac Labs to store 
information about successfully sent emails.

The worm creates the HTML file AngeldelMar.html in the Windows system 
folder and attempts to disable and delete several anti-virus related 
products and system tools such as regedit, sfc and msconfig.

The worm searches all folders on fixed and remote drives for files with 
the following extensions: HTML, HTM, HTA, PHP, ASP, SHTML, SHTM, PHTML, 
PHTM and SFC.

For each file found the word "Gaghiel" will be prepended to that file 
and the HTML VBScript component will be appended to the file. Any VBS or 
VBE files found on fixed or remote drives will be overwritten by the 
worm.

The Microsoft Outlook Express settings will be adjusted so that email is 
sent in HTML format using the infected file C:\Windows\Gaghiel.html as 
the stationery template. These changes will be made via the three 
entries Message Sent HTML, Compose Use Stationery and Stationery Name 
in the following registry entry:

HKCU\Identities\\Software\Microsoft\
Outlook Express\5.0\Mail

In order to spread via IRC VBS/Gaggle-B checks for an installation of 
the mIRC client and if found drops the file Mirc.chat into the 
installation folder and modifies the mirc.ini file to reference this 
file. The file Mirc.chat is detected as mIRC/Gaggle-B.

VBS/Gaggle-B might also display the error:
"Error 13
Esta Pagina Requiere Controles ActiveX para ser mostrada en su totalidad
Presione Actualizar y Acepte"

 
--- MultiMail/Win32 v0.43