Virus Bagle (Beagle)
This is a worm. It creates the following files (a copy of the worm with randomly appended data) depending on the version of the virus:
%System%\sysxp.exe, %System%\sysxp.exeopen (bagle.ab)
%System%\winxp.exe (bagle.ag, bagle.ai)
%System%\winxp.exeopen (beagle.ag)
%System%\i11r54n4.exe (bagle.h)
%System%\WINUPD.EXE (bagle.n)
%System%\drvsys.exe (bagle.Y)
%System%\drvddll.exe (bagle.Z)
%System%\bawindo.exe (bagle.as)
%System%\WINGO.EXE, %System%\WINDLL.EXE (bagle.at)
Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
The worm adds following values to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when Windows starts:
"key" = "%System%\sysxp.exe"
"rate.exe" = "C:\WINNT\SYSTEM32\i11r54n4.exe" (beagle.h)
"winupd.exe" = "%System%\winupd.exe" (beagle.n)
"drvsys.exe" = "C:\WINNT\SYSTEM32\drvsys.exe" (beagle.Y)
"drvddll.exe" = C:\WINNT\SYSTEM32\drvddll.exe (beagle.Z)
"bawindo"="%system%\bawindo.exe" (beagle.as)
"wingo" = "C:\WINNT\SYSTEM32\WINGO.EXE" (beagle.at, beagle.au)
"erthgdr" = "%SysDir%\WINDLL.EXE" (beagle.at)
It searches for email addresses in the files on the computer send email messages to any addresses found.
This worm attempts to terminate the process of security programs
© Copyright 2000-2008 AnVir Software. All Rights Reserved.
