|Bagle.z is an Internet worm spreading as an infected email attachment.
Infected message characteristics:
Sender address: random
Subject and attachment name are one from the predefined list.
.exe .com .scr and .cpl binary code file
There is a wide range of possible message texts.
The message may contain a VBS script; if this is launched by the user, it exploits a Microsoft Internet Explorer vulnerability (Microsoft Security Bulletin MS03-040) which makes it possible to download the executable worm file via the Internet from several dozen infected web sites.
It copies itself to the Windows system directory under the name "drvsys.exe",
and registers this file in the system registry autorun key:
"drvddll.exe" = "%system%\drvddll.exe"
It seraches for and deletes some keys in the system registry related with Firewall or Antivirus programs.
The worm also attempts to connect to a range of remote sites, and to save information about the victim computer on these sites.
The worm searches the computer for files with some extensions and sends itself to all email addresses found in these files.
It uses its own SMTP-server to send messages.
The worm searches the computer for folders where the name contains the word 'shar' and copies itself several times to each folder found, under the names of popular applications, such as ACDSee 9.exe, Adobe Photoshop 9 full.exe, Ahead Nero 7.exe etc.
The worm opens port 2535 and tracks port activity.
The backdoor function makes it possible to remotely execute commands and download files to the victim machine.
The worm attempts to combat antivirus programs and firewalls by terminating required memory processes.
Use antivirus (also check How To Remove section)Startup Optimizer to remove this worm from startup.