W32/Bagle-AZ

Aliases	I-Worm.Bagle.as W32/Bagle.az@MM
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments Peer-to-peer
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	November 2004 (3.87)
Protection available since	29 September 2004 00:59:18 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Bagle-AZ.

More Information

Summary
Action
More Information

W32/Bagle-AZ is a worm which spreads using email and shared folders.

Sophos anti-virus products since version 3.86 have been capable of detecting this worm as W32/Bagle-Gen without requiring an update. W32/Bagle-AZ is a worm which spreads using email and shared folders. The worm forges the sender address of the email.

Emails sent by the worm have the following characteristics:

Subject lines:
Re: Hello
Re: Hi
Re:
Re: Thank you!
Re: Thanks :)

Message texts:
:)
:))

Attached file:
price.cpl
joke.cpl

The worm harvests email addresses from the files found on the hard disk.

When run the worm will create copies of itself named bawindo.exe, bawindo.exeopen and bawindo.exeopenopen in the Windows system folder.

The worm adds the registry entry

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
bawindo = %SYSTEM%\bawindo.exe

W32/Bagle-AZ copies itself to any folder with the string 'shar' in its name using the following filenames:

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
KAV 5.0
Kaspersky Antivirus 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno Screensaver.scr
Porno pics arhive, xxx.exe
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

W32/Bagle-AZ deletes the following entries from the registry under

HKLM\Software\Microsoft\Windows\CurrentVersion\Run and
HKCU\Software\Microsoft\Windows\CurrentVersion\Run :
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net

Sophos anti-virus products since version 3.86 have been capable of detecting this worm as W32/Bagle-Gen without requiring an update.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Bagle-AZ

Summary

Action

More Information