Subscribe0 0
This worm spreads via the Internet as an attachment to infected messages. It sends itself to all email addresses found on the victim machine. It also spreads via P2P networks and shared network resources.
The worm itself is a PE EXE file, 19KB or more in size.
Installation
Once launched, the worm copies itself to the Windows system directory under the following names:
- %System%\sysformat.exe
- %System%\sysformat.exeopen
- %System%\sysformat.exeopenopen
It then registers itself in the system registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ] "Sysformat" = "%System%\sysformat.exe"
This ensures that a copy of the worm will be launched each time the victim machine is rebooted.
Propagation via email
Bagle.ax searches the victim machine for files with the following extensions:
- adb
- asp
- cfg
- cgi
- dbx
- dhtm
- eml
- htm
- jsp
- mbx
- mdx
- mht
- mmf
- msg
- nch
- ods
- oft
- php
- pl
- sht
- shtm
- stm
- tbb
- txt
- uin
- wab
- wsh
- xls
- xml
Hot Articles