high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | March 2005 (3.91) |
| Protection available since | 27 January 2005 10:56:23 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
sysformat
%SYSTEM%\sysformat.exe
and delete it if it exists.
Close the registry editor.
More Information
W32/Bagle-AY is a mass-mailing and peer-to-peer worm.
Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Bagle-AY (detected as W32/Bagle-Gen) since version 3.87. W32/Bagle-AY is a mass-mailing and peer-to-peer worm.
When first run the worm copies itself to the Windows system folder as sysformat.exe and creates the following registry entry so as to auto-start on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
sysformat
%SYSTEM%\sysformat.exe
W32/Bagle-AY will also attempt to copy itself to any folder with the word 'shar' in the name using all of the following filenames:
1.exe
10.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Opera 8 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
XXX hardcore images.exe
The worm will search any local drives for files with the following extensions from which it will harvest email addresses:
ADB
ASP
CFG
CGI
DBX
DHTM
EML
HTM
JSP
MBX
MDX
MHT
MMF
MSG
NCH
ODS
OFT
PHP
PL
SHT
SHTM
STM
TBB
TXT
UIN
WAB
WSH
XLS
XML
Emails generated by the worm have the following characteristics:
Subject line chosen from:
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Message text chosen from:
Thanks for use of our software.
Before use read the help
Attachment name chosen from the following with an extension chosen
from these (EXE, SCR, CPL and COM):
guupd02
guupd02
Jol03
Jol03
siupd02
siupd02
upd02
upd02
viupd02
viupd02
wsd01
zupd02
zupd02
W32/Bagle-AY will also attempt to terminate various anti-virus and security related processes and attempt to download components from various websites into re_file.exe in the Windows system folder.
Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Bagle-AY (detected as W32/Bagle-Gen) since version 3.87.
|
