TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_BAGLE.AZ
Overview
Solution

Malware type: Worm

Aliases: HackTool.Win32.Pexer (Kaspersky), New Malware.bj !! (McAfee), W32.Beagle.gen (Symantec), Worm/Bagle.AX.var (Avira), W32/Bagle-BK (Sophos),

In the wild: Yes

Language: English

Platform: Windows 95, 98, ME, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

As of January 27, 2005 1:42 AM PST (Pacific Standard Time/GMT -8:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BAGLE.AZ. TrendLabs has received several infection reports indicating that this malware is spreading in US, China, and Japan.

To get a one glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.

WORM_BAGLE.AZ Behavior Diagram

Malware Overview

This WORM_BAGLE variant arrives on a system as an email attachment. It sends copies of itself to all email addresses it gathers from files with certain extensions but skips those addresses that contain particular strings.

Users must be wary of the email that it sends with the following details:

Subject: (any of the following)
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active

Message body: (any of the following)
Thanks for use of our software.
Before use read the help

Attachments: (any of the following file names)
guupd02
Jol03
siupd02
upd02
viupd02
wsd01
zupd02

(with any of the following extensions)
COM
CPL
EXE
SCR

The email is spoofed and may appear to have come from a familiar email address. As a general rule, users should avoid opening the attachments of unsolicited email.

Network administrators may notice an increase in SMTP (port 25) traffic and can choose to block email with the outlined characteristics.

This worm drops a copy of itself using the following file names into the Windows system folder:

  • sysformat.exe
  • sysformat.exeopen
  • sysformat.exeopenopen

It also looks for folders that have the string shar and drops copies of itself using file names with EXE extensions. It assumes that these folders are shared.

Network administrators can choose to block the download of files associated with this worm.

In addition, this worm displays varied icons and terminates several processes, most of which are related to antivirus and security programs.

This worm ceases to perform most of its malicious routines when the date is April 25, 2006 and later.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jan. 26, 2005 8:47:01 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.