http://www.f-secure.com/tools/f-bagle.zip
Disinfection instructions can be found here:
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt
http://www.f-secure.com/tools/f-bagle.txt
System administrators who are using F-Secure Policy Manager, can
distribute the tool as a JAR package automatically to all
workstations.
System administrators can download the JAR version from:
http://www.f-secure.com/tools/f-bagle.jar
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.jar
Upon execution it will copy itself to:
[CSIDL_SYSTEM]\sysformat.exe
and a registry key pointing to such location:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"sysformat" = [CSIDL_SYSTEM]\sysformat.exe
To prevent installing itself multiple times, the worm creates and
checks for the existence of these mutexes:
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
Bagle.AX will attempt to disable security software it finds
active on the system. It will proceed through the list provided
next and terminate any of those processes it finds:
mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.EXE
blackd.exe
bawindo.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe
In an attempt to get to the shared content of popular P2P
applications it will copy itself into any folder containing the
string 'shar' with names such as:
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
For more basic information on Bagle variants please see the
description of Bagle.Z:
http://www.f-secure.com/v-descs/bagle_z.shtml
Email Spreading
Bagle.AX is an email worm that locates emails from the local hard
drive and then sends itself to those addresses with messages
looking like error messages such as follows.
Subjects chosen from:
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Bodies selected from:
Thanks for use of our software.
Before use read the help
Attachment names as:
wsd01
viupd02
siupd02
guupd02
zupd02
upd02
Jol03
With any of the extensions .cpl, .exe, .com or .scr
Detection for Bagle.AX was published on January 26th, 2005 in the
following F-Secure Anti-Virus update:
[FSAV_Database_Version]
Version=2005-01-26_03
Write-Up:
Katrin Tocheva, January 26th, 2005;
Description Updated:
Ero Carrera, January 26th, 2005;
F-Secure Corporation
![](/images/pixel.gif"){kind=tracking}
