Bagle.AZ is functionally very similar to Bagle.AY. Bagle.AZ is a mass mailing email and P2P filesharing worm with downloader capabilites. As with previous variants and most modern email worms, the worm uses its own SMTP engine to spread via email and the From address is spoofed.
Bagle.AZ attempts to kill processes associated with various security software found running on infected systems. This could prevent infected users from getting the necessary updates to detect the active infection.
In addition, Bagle.AZ attempts to download files from remote websites.
Email characteristics
Subject: (one of the following)
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help
Message Body: (one of the following)
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help
Attachment: (one of the following)
wsd01
viupd02
siupd02
guupd02
zupd02
upd02
Jol03
File extension: (one of the following)
com
cpl
exe
scr
P2P characteristics
The worm also drops copies of itself to shared folders containing the string 'shar' in its foldername. Filename will be one of the following:
1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
When Bagle.AZ is executed, it drops a file named sysformat.exe to the Windows system directory and registers that file in the HKCU..\Run key so the worm loads when Windows starts. The worm also drops 'sysformat.exeopen' and 'sysformat.exeopenopen' to the Windows system directory.
Note: By default, the Windows system directory is:
Windows 95/98/MEÂ Â Â -->Â Â C:\Windows\System
Windows NT/2-2000 -->Â Â C:\Winnt\System32
Windows XPÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â -->Â Â C:\Windows\System32
Removal
Use up-to-date antivirus software to detect and remove this threat automatically. To remove the worm manually, delete the files dropped/created by the worm as well as any registry edits made.
Bagle.AZ attempts to kill processes associated with various security software found running on infected systems. This could prevent infected users from getting the necessary updates to detect the active infection.
In addition, Bagle.AZ attempts to download files from remote websites.
Email characteristics
Subject: (one of the following)
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help
Message Body: (one of the following)
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help
Attachment: (one of the following)
wsd01
viupd02
siupd02
guupd02
zupd02
upd02
Jol03
File extension: (one of the following)
com
cpl
exe
scr
P2P characteristics
The worm also drops copies of itself to shared folders containing the string 'shar' in its foldername. Filename will be one of the following:
1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
When Bagle.AZ is executed, it drops a file named sysformat.exe to the Windows system directory and registers that file in the HKCU..\Run key so the worm loads when Windows starts. The worm also drops 'sysformat.exeopen' and 'sysformat.exeopenopen' to the Windows system directory.
Note: By default, the Windows system directory is:
Windows 95/98/MEÂ Â Â -->Â Â C:\Windows\System
Windows NT/2-2000 -->Â Â C:\Winnt\System32
Windows XPÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â -->Â Â C:\Windows\System32
Removal
Use up-to-date antivirus software to detect and remove this threat automatically. To remove the worm manually, delete the files dropped/created by the worm as well as any registry edits made.