Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32.Beagle.AZ@mm, W32/Bagle.bj@MM, W32/Bagle-Gen
Type:Worm 
Size:19.810 Bytes 
Origin: 
Date:01-27-2005 
Damage: 
VDF Version:6.29.00.83 
Danger:Low 
Distribution:Medium 

General DescriptionAffected systems:
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

DistributionWorm/Bagle.AX has its own SMTP engine and it is not reliant on an email client when sending virulent emails. One of the worm's sent email can have different appearances:

-Sender (FROM): %spoofed%

-SUBJECT:

-Delivery by mail
-Delivery service mail
-Is delivered mail
-Registration is accepted
-You are made active

-Email text (BODY):

-Before use read the help
-Thanks for use of our software.

-ATTACHMENT: The attachment can have different filenames. File extensions are also randomly chosen: .COM, .CPL, .EXE oder .SCR.

Jol03
guupd02
siupd02
upd02
viupd02
wsd01
zupd02

The worm is also able to send itself over P2P (Peer-To-Peer) networks, as mentioned above.

Technical DetailsWhen Worm/Bagle.AX is executed, it deletes the following entries in the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"My AV"=
"ICQ Net"=

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run]
"My AV"=
"ICQ Net"=

It creates the following files in the Windows System Directory:

- \%SystemDIR%\sysformat.exe
- \%SystemDIR%\sysformat.exeopen
- \%SystemDIR%\sysformat.exeopenopen

and creates the following registry entries:

[HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run]
"Sysformat" = "%SystemDIR%\sysformat.exe"

If one of the following applications is active, Worm/Bagle.AX tries to terminate it.

APVXDWIN.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
Avconsol.exe
AVENGINE.EXE
AVPUPD.EXE
Avsynmgr.exe
AVWUPD32.EXE
AVXQUAR.EXE
bawindo.exe
blackd.exe
ccApp.exe
ccEvtMgr.exe
ccProxy.exe
ccPxySvc.exe
CFIAUDIT.EXE
DefWatch.exe
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
FrameworkService.exe
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
LUCOMS~1.EXE
mcagent.exe
mcshield.exe
MCUPDATE.EXE
mcvsescn.exe
mcvsrte.exe
mcvsshld.exe
navapsvc.exe
navapw32.exe
NISUM.EXE
nopdb.exe
NPROTECT.EXE
NUPGRADE.EXE
OUTPOST.EXE
PavFires.exe
pavProxy.exe
pavsrv50.exe
Rtvscan.exe
RuLaunch.exe
SAVScan.exe
SHSTAT.EXE
SNDSrvc.exe
symlcsvc.exe
UPDATE.EXE
UpdaterUI.exe
Vshwin32.exe
VsStat.exe
VsTskMgr.exe

The worm searches on the local disks for directories, that contain the "SHAR" string and copies itself with the following filenames in these:

1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

Worm/Bagle.AX searches in the directories on the local disks for files that might contain email addresses , having the following extensions:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .