McAfee calls this one "W32/Bagle.az@MM", and you called it correctly. A third party has the virus, and it is spoofing the address fields.
Some info from their web site:
This is a mass-mailing worm with the following characteristics:
* contains its own SMTP engine to construct outgoing messages
* harvests email addresses from the victim machine
* the From: address of messages is spoofed
* contains a remote access component
* copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
Mail Propagation
The details are as follows:
From : (address is spoofed)
Subject :
* Re:
* Re: Hello
* Re: Thank you!
* Re: Thanks
* Re: Hi
Body Text:
*
*
)
Attachment: (with an extension of .exe, .scr, .com or .cpl)
* Price
* price
* Joke
The virus copies itself into the Windows System directory as BAWINDO.EXE. For example:
* C:\WINDOWS\SYSTEM32\bawindo.exe
It also creates other files in this directory to perform its functions:
* C:\WINDOWS\SYSTEM32\bawindo.exeopen
* C:\WINDOWS\SYSTEM32\bawindo.exeopenopen
The following Registry key is added to hook system startup:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "bawindo" = "C:\WINDOWS\SYSTEM32\bawindo.exe"
A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:
* 'D'r'o'p'p'e'd'S'k'y'N'e't'
* _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
* [SkyNet.cz]SystemsMutex
* AdmSkynetJklS003
* ____--->>>>U<<<<--____
* _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
The worm opens port 81 (TCP) and a random UDP port on the victim machine.
"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."
"Trent the Uncatchable" in The Long Run by Daniel Keys Moran
