Protector Plus Download Antivirus
Home
Download Antivirus
Antivirus Products
Order Antivirus


Antivirus Software for Windows XP/2000/2003
Antivirus Software for Windows Me/98
Antivirus Software for Exchange 2000/2003
Antivirus Software for NetWare

W32/Bagle.AY Worm

NameW32/Bagle.AY Worm
AliasesWORM_BAGLE.AZ, W32/Bagle.bk@MM, W32/Bagle.BL.worm, W32.Beagle.AZ@mm
Discovered on 26th January, 2005

 Virus Information - W32/Bagle.AY Worm:

W32/Bagle.AY is an email worm. This worm is a variant of W32/Bagle. The worm will infect Windows systems. The worm spreads through email, shared network drives and KaZaA P2P software.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected email will be any one of the following;

You are made active
Delivery by mail
Registration is accepted
Delivery service mail
Is delivered mail

The body of the infected email will be any one of the following;

Before use read the help
Thanks for use of our software.

It carries any one of the following infected attachments;

guupd02
wsd01
upd02
siupd02
zupd02
Jol03
viupd02

The extension of the infected attachment will be any one of the following;

.cpl
.scr
.exe
.com

Upon execution of the infected attachment, the worm copies itself as sysformat.exe, sysformat.exeopen and sysformat.exeopenopen in the Windows System folder.

It alters the windows registry at the following location to load itself during next startup;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also creates following mutex to ensure only one instance of the worm is running.

|MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

The worm attempts to create copies of itself in any folder that contains the substring shar. The worm files will have the following names;

Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
9.exe
5.scr
WinAmp 5 Pro Keygen Crack Update.exe
10.exe
3.exe
Windown Longhorn Beta Leak.exe
4.exe
6.exe
Opera 8 New!.exe
1.exe
XXX hardcore images.exe
7.exe
8.exe
ACDSee 9.exe
Adobe Photoshop 9 full.exe
2.exe
WinAmp 6 New!.exe

The worm attempts to connect to some websites in its pre-configured list.

The worm attempts to remove the registry entries inserted by W32/Netsky variants.

To propagate itself, the worm scans the following extensions and collects the available email addresses from the infected system;

.xml, .xls, .wsh, .wab, .uin, .txt, .tbb, .stm, .shtm, .sht, .pl, .php, .oft, .ods, .nch, .msg, .mmf, .mht, .mdx, .mbx, .jsp, .htm, .eml, .dhtm, .dbx, .cgi, .cfg, .asp, .adb.

The worm sends a copy of itself to all the collected email addresses using its own SMTP engine.

The worm also tries to terminate antivirus and security related software.

Anti virus for Windows Download Now!

Home Page Download Antivirus Antivirus Products Order Antivirus

Copyright © 2005 Proland Software.All rights reserved

antivirus software, anti virus software, anti virus, download antivirus, download anti virus, free antivirus, free anti virus, antivirus, download, free, windows, windows xp, xp, sp2, windows me, windows 2000, 98, 95, nt, me, 2003, netware, anti-virus, virus, worm, trojan, protector, plus, proland, virus software, spyware