Infection impact
When Bagle.AY is executed, it drops a file named sysformat.exe to the Windows system directory and registers that file in the HKCU..\Run key so the worm loads when Windows starts.
Bagle.AY attempts to kill processes associated with various security software found running on infected systems. This could prevent infected users from getting the necessary updates to detect the active infection.
Bagle.AY also deletes registry keys associated with certain Netsky variants.
Bagle.AY opens random ports, contacts the worms author and attempts to download a file from a large number of presumed compromised websites.
Email characteristics
The subject will be any one of the following:
- Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
The message body will be one of the following:
- Thanks for use of our software.
Before use read the help
The attachment will be named one of the following:
- wsd01
viupd02
siupd02
guupd02
zupd02
upd02
Jol03
The file extension will be one of the following:
- COM
CPL
EXE
SCR
P2P characteristics The worm also drops copies of itself to shared folders containing the string 'shar' in its foldername. Filename will be one of the following:
- 1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
Removal / Disinfection
Manual removal is not recommended. The infection contains both a remote access and downloader component, thus the system compromise could be extensive. Use updated antivirus software to detect and remove this threat. If an active Bagle.AY infection is discovered, reformatting the compromised system should be considered.
