W32/Bagle.AZ Worm

Subscribe to Virus Alert
Mailing List

Enter your Email
(Ex:john@company.com)

W32/Bagle.AZ Worm

Information about the W32/Bagle.AZ Worm:

W32/Bagle.AZ is an email worm. This worm is a variant of W32/Bagle.A. The worm will infect Windows systems. The worm spreads through email, shared network drives and KaZaA P2P software.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected email will be any one of the following.

Re: Thank you!
Re: Thanks :)
Re: Hello
Re: Hi
Re:

The body of the infected email will be the any one of the following;

:))
:)

It carries any one of the following infected attachments;

Joke
price
Price

The extension of the attachment may be any one of the following;

.cpl
.com
.exe
.scr
.zip

Upon execution of the attachment, the worm copies itself as bawindo.exe in the Windows System folder. It drops bawindo.exeopen and bawindo.exeopenopen, which are copies of the worm.

It alters the windows registry at the following location to load itself during next startup;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It creates several mutex to ensure only one instance of the worm is running. It terminates some variants of W32/Netsky.

____--->>>>U<<<<--____
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-
_ _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
'D'r'o'p'p'e'd'S'k'y'N'e't'

The worm attempts create copies of itself in any folder that contains the substring shar. The worm files will have the following file names:

XXX hardcore images.exe
Windows Sourcecode update.doc.exe
Windown Longhorn Beta Leak.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Serials.txt.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Opera 8 New!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Office 2003 Crack, Working!.exe
Matrix 3 Revolution English Subtitles.exe
Kaspersky Antivirus 5.0
KAV 5.0
Ahead Nero 7.exe
Adobe Photoshop 9 full.exe
ACDSee 9.exe

The worm opens TCP port 81 and an UDP port on the infected computer.

To propagate itself, the worm scans the following extensions and collects the available email addresses from the infected system;

.xml, .xls, .wsh, .wab, .uin, .txt, .tbb, .stm, .shtm, .sht, .pl, .php, .oft, .ods, .nch, .msg, .mmf, .mht, .mdx, .mbx, .jsp, .htm, .eml, .dhtm, .dbx, .cgi, .cfg, .asp, .adb.

The worm also tries to terminate antivirus and security related software.

This worm first appeared on 28th September, 2004.

Other names of W32/Bagle.AZ Worm:

This Worm is also known as W32/Bagle.az@MM, W32/Bagle-AZ

Click here to download a 30 day Evaluation Copy of
Protector Plus anti virus software for your operating system

About Protector Plus Antivirus Software Packages:

Proland Software is the developer of Protector Plus range of antivirus software packages. Protector Plus 2009 is available for Windows Vista, Windows 95/98/Me, Windows XP, Windows NT/2000/2003 servers and workstations, MS-Exchange 2000/2003, MS-DOS and NetWare servers.

New:
SpamChoke Antispam Software
Download Now!

Protector Plus range of antivirus products offer on-line virus detection and removal. All the packages have the ability to detect and isolate all types of viruses, trojans, worms and other types of malware. Protector Plus antivirus software can detect and remove W32/Bagle.AZ Worm reliably.

These products are updated on a continuous basis and the latest upgrades for all the platforms are made available for downloading from this site.

Click here to order
Protector Plus anti virus software