Bagle.AA is a variant similar to Bagle.Z. There are the following
noteworthy diferences:
- The worm has different filename: 'loader_name.exe'
- New registry value is used:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"reg_key" = "%SystemDir%\loader_name.exe"
- Security applications are not terminated anymore
- The worm carries its source code iniside its body
- Expiration date set to July 6th, 2004
For more information please see the description of Bagle.Z:
http://www.f-secure.com/v-descs/bagle_z.shtml
F-Secure Anti-Virus detects Bagle.AA starting from the
following update:
[FSAV_Database_Version]
Version=2004-07-04_02
Writeup:
Gergely Erdelyi, Jul 5th, 2004;
F-Secure Corporation
