W32/Bagle.AV Worm

 Virus Information - W32/Bagle.AV Worm:

W32/Bagle.AV is a worm. This worm is a variant of W32/Bagle.A. The worm will infect Windows systems.

Upon execution, the worm copies itself as bawindo.exe, bawindo.exeopen and bawindo.exeopenopen in the Windows System folder. It also drops winxp.exe in the Windows System folder

It alters the windows registry at the following location to load itself during next startup;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also creates several mutex to ensure only one instance of the worm is running. It also terminates some variants of W32/Netsky.

_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
'D'r'o'p'p'e'd'S'k'y'N'e't'
____--->>>>U<<<<---____
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_

The worm attempts to create copies of itself in any folder that contains the substring shar. The worm files will have the following file names:

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

The worm attempts to connect to some websites in its pre-configured list.

To propagate itself, the worm scans the following extensions and collects the available email addresses from the infected system;

.xml, .xls, .wsh, .wab, .uin, .txt, .tbb, .stm, .shtm, .sht, .pl, .php, .oft, .ods, .nch, .msg, .mmf, .mht, .mdx, .mbx, .jsp, .htm, .eml, .dhtm, .dbx, .cgi, .cfg, .asp, .adb.

The worm sends a copy of itself to all the collected email addresses using its own SMTP engine.

The worm also tries to terminate antivirus and security related software.