Bagle.W/X/Y/Z/AA/AB worm

Two new variants of the Bagle worm have emerged - one discovered on April 26, 2004 and the second on April 28, 2004. Antivirus vendors dispute the names, thus depending on the vendor the new variants may be called Bagle.W, Bagle.X, Bagle.Y, Bagle.Z, Bagle.AA, or Bagle.AB. The most notable difference between the two variants? The name of the file dropped to the Windows system directory. The breakdown is as follows:

DRVDDLL.EXE - discovered April 28th. Aliases: Trend Micro - Bagle.Y, Symantec - Beagle.X, Panda - Bagle.AB, F-Secure - Bagle.Z, Sophos, McAfee and the rest of the world's Bagle.AA

DRVSYS.EXE - discovered April 26th. Aliases: Trend Micro - Bagle.X, Sophos - Bagle.W, Symantec - Beagle.W, Panda - Bagle.AA, F-Secure - Bagle.Y, McAfee and the rest of the world's Bagle.Z.

Both variants harvest email addresses from a wide range of file types on victim's system, using those addresses in both the From and To field of its emai, which it sends via its own SMTP engine; both dropping copies to folders containing SHAR in the name, allowing it to be spread via P2P apps (KaZaA, BearShare, etc; both removing registry edits associated with some Netsky variants and both shutting down shutdown certain antivirus and security processes found running on infected systems - leaving these systems vulnerable to future infection from even old and easily recognizable threats.

For specific details, see F-Secure's descriptions for Bagle.Y and Bagle.Z.