W32/Bagle.AY Worm

Subscribe to Virus Alert
Mailing List

Enter your Email
(Ex : john@company.com)

W32/Bagle.AY Worm

Information about the W32/Bagle.AY Worm:

W32/Bagle.AY is an email worm. This worm is a variant of W32/Bagle. The worm will infect Windows systems. The worm spreads through email, shared network drives and KaZaA P2P software.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected email will be any one of the following;

You are made active
Delivery by mail
Registration is accepted
Delivery service mail
Is delivered mail

The body of the infected email will be any one of the following;

Before use read the help
Thanks for use of our software.

It carries any one of the following infected attachments;

guupd02
wsd01
upd02
siupd02
zupd02
Jol03
viupd02

The extension of the infected attachment will be any one of the following;

.cpl
.scr
.exe
.com

Upon execution of the infected attachment, the worm copies itself as sysformat.exe, sysformat.exeopen and sysformat.exeopenopen in the Windows System folder.

It alters the windows registry at the following location to load itself during next startup;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also creates following mutex to ensure only one instance of the worm is running.

|MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

The worm attempts to create copies of itself in any folder that contains the substring shar. The worm files will have the following names;

Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
9.exe
5.scr
WinAmp 5 Pro Keygen Crack Update.exe
10.exe
3.exe
Windown Longhorn Beta Leak.exe
4.exe
6.exe
Opera 8 New!.exe
1.exe
XXX hardcore images.exe
7.exe
8.exe
ACDSee 9.exe
Adobe Photoshop 9 full.exe
2.exe
WinAmp 6 New!.exe

The worm attempts to connect to some websites in its pre-configured list.

The worm attempts to remove the registry entries inserted by W32/Netsky variants.

To propagate itself, the worm scans the following extensions and collects the available email addresses from the infected system;

.xml, .xls, .wsh, .wab, .uin, .txt, .tbb, .stm, .shtm, .sht, .pl, .php, .oft, .ods, .nch, .msg, .mmf, .mht, .mdx, .mbx, .jsp, .htm, .eml, .dhtm, .dbx, .cgi, .cfg, .asp, .adb.

The worm sends a copy of itself to all the collected email addresses using its own SMTP engine.

The worm also tries to terminate antivirus and security related software.

This worm first appeared on 26th January, 2005.

Other names of W32/Bagle.AY Worm:

This Worm is also known as WORM_BAGLE.AZ, W32/Bagle.bk@MM, W32/Bagle.BL.worm, W32.Beagle.AZ@mm.

Download the FREE Evaluation copy of Protector Plus antivirus software

About Protector Plus Antivirus Software Packages:

Proland Software is the developer of Protector Plus range of antivirus software packages. Protector Plus 2009 is available for Windows Vista, Windows 95/98/Me, Windows XP, Windows NT/2000/2003 servers and workstations, MS-Exchange 2000/2003, MS-DOS and NetWare servers.

New:
SpamChoke Antispam Software
Download Now!

Protector Plus range of antivirus products offer on-line virus detection and removal. All the packages have the ability to detect and isolate all types of viruses, trojans, worms and other types of malware. Protector Plus antivirus software can detect and remove W32/Bagle.AY Worm reliably.

These products are updated on a continuous basis and the latest upgrades for all the platforms are made available for downloading from this site.

Click here to order
Protector Plus anti virus software