Created: 2007-06-25, 20:35:40
Last updated on: 2010-11-26, 09:23:14

Platform: Win32 Type: worm Size: 37898
Date: 2004-04-26 Deactivate: 2005-01-25

Compressor: UPX
Language: Visual C++
Endangered operating system(s): Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000 all...
Non-endangered operating system(s): Windows 3.xx, DOS, Linux, Unix, Solaris all...


The different antivirus applications use different names for the individual viruses and worms. Sometimes an antivirus application identifies the same individual malware using different names for different copies or different viruses and worms are identified with the same name. The informative list below contains the names for the malware given by the most popular antivirus applications. The names can vary using the different versions of the same antivirus application.

antivirus naming
Avast Win32:Beagle-Y
AVG I-Worm/Bagle.AA
BitDefender Win32.Bagle.W@mm.damaged
e-Trust Win32/Bagle.W
F-PROT W32/Bagle.Y@mm
F-Secure Email-Worm.Win32.Bagle.y
Ikarus MalwareScope.Trojan-PWS.Pinch.1
Kaspersky Email-Worm.Win32.Bagle.y
McAfee W32/Bagle.z@MM(Virus)
Microsoft Win32/Bagle.W@mm
NOD32 (ESET) Win32/Bagle.X
Panda W32/Bagle.AA.worm
Rising Antivirus
Sophos W32/Bagle-W
Trend Micro WORM_BAGLE.X
VirusBuster I-Worm.Bagle.Y

organization naming
Wildlist W32/Bagle.Z-mm


Viruses and worms can initiate some spectacular action. The purpose is usually to attract attention and through the interaction of the user (pushing a button or clicking on the mouse) they make it difficult to automatically proceed the malware in the virtual environment. The worm displays the following window during the installation of its code:


The main purpose of viruses and worms spreading on the Internet and local networks is to infect another computer. After this infection malware can modify the system and after a reboot process the malware code can be launched. For this purpose malware usually creates files in the operating system's area and modify the registry. According to this modification of the registry the operating system will execute the malware code as well. Besides, it is possible that they create files in other area (directory) of the file system. It is also possible that viruses and worms create AUTORUN.INF files in the root directories of the drives. In this case - according to the default settings of Windows - it automatically executes the malware once the user opens the root directory of the particular drive.

The worm creates the following files:

In the Windows System32 folder (default: C:\Windows\System32):

  • drvsys.exe
  • drvsys.exeopen
  • drvsys.exeopenopen

In share folders:

  • ACDSee 9.exe
  • Adobe Photoshop 9 full.exe
  • Ahead Nero 7.exe
  • KAV 5.0
  • Kaspersky Antivirus 5.0
  • more...

image image image

Win32/Bagle.X worm creates the following entries in the registry or modifies it (if it exists already):

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "drvsys.exe"="C:\WINDOWS\System32\drvsys.exe"
  • [HKEY_USERS\S-1-5-21-1060284298-1770027372-839522115-1003\Software
    \Microsoft\Windows\CurrentVersion\Run] "drvsys.exe"="C:\WINDOWS\System32\drvsys.exe"
In order to limit the running of another malware, viruses and worms can interfere other malware as well when they erase registry entries according to each other.

Win32/Bagle.X worm deletes the following entries from the registry:

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "9XHtProtect"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Antivirus"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "EasyAV"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "FirewallSvr"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "HtProtect"
  • more...


Viruses and worms can stop the processes related to antivirus solutions and/or firewalls. The first purpose of this is that malware codes can live in the system for a long time. On the other hand if the malware includes a backdoor function then it can work easier. Malware can modify the path of the Internet traffic. Thus some web sites (e.g.: antivirus update pages) become unreachable.

Win32/Bagle.X worm stops the following processes:

  • NPF40_TW_98_NT_ME_2K.EXE
  • more...

E-mail messages

The main aim of worms spreading in e-mail messages is to infect other computers. For this purpose they create and send e-mail messages to various e-mail addresses. The body of these messages usually include the code of the worm, but it is also possible that only a link is attached into the body and the user downloads the code of the worm. E-mail worms can create e-mail messages with various parameters.

Win32/Bagle.X worm in order to spread creates ANSI format e-mail messages and forwards its own code.

For a better spreading e-mail worms and viruses use the attacked computer not only for forwarding its code but for searching potential e-mail addresses. These e-mail addresses are used as the addressee of the e-mail message and/or as the sender. Thus the sender address is modified by the malware.

Win32/Bagle.X worm searches for e-mail addresses in the files with one of the following extensions:

The characteristics of the e-mail messages are the following:

The sender addresses of the infected e-mails will be collected from the attacked computer(s).

Addressee The worm sends the e-mail messages to the collected addresses.

The worm does not send infected email messages to the addresses containing one of the following strings:

  • @avp.
  • @foo
  • @hotmail
  • @iana
  • @messagelab
  • more...


The potential subjects of the infected e-mail messages are the following:

  • Forum notify
  • Hello!
  • Hey!
  • Hidden message
  • I just need a friend
  • more...


The attachment of the e-mail message sent by the worm can be of different types. The possibilities are the following:

The attachment of the e-mail messages sent by the worm can be one of the following:

  • image12.jpeg
  • me2.jpeg
  • me3.jpeg
  • myphoto4.jpeg
  • myphoto7.jpeg
  • photo.jpeg

The name of the attachment of the e-mail message sent by the worm can be one of the following:

  • Details
  • Document
  • Info
  • Information
  • Message
  • MoreInfo
  • Readme

The file extension of the attachment of the e-mail message sent by the worm can be one of the following:

  • com
  • cpl
  • exe
  • hta
  • scr
  • vbs
  • zip

image image image

The icon of the messages including worm (warning: in some e-mail clients the icon is not correctly visible):

Attacks on the Internet

Viruses and worms can attack other computers on the Internet and disable their use.

The worm downloads and executes a code from the following addresses:

  • more...


Viruses and worms more and more frequently open backdoors on the attacked computer. Thus the attacker can take full control over the machine. In this case the attacker can do whatever s/he wants on the computer: run or stop programs and applications, upload or download files, steal passwords and access codes.

Win32/Bagle.X worm opens a backdoor on TCP port number 2535 .