Win32/Bagz is a family of mass-mailing worms that targets certain versions of Microsoft Windows. The worm spreads as an e-mail attachment and runs when the user opens the attachment. It can download and run other malicious files from a server.
To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
When Win32/Bagz runs, it can take the following actions:
Copy itself as a new file to <system folder> with a name such as tutorial.doc<multiple spaces>.exe or sqlssl.doc<multiple spaces>.exe.
Drop other files in <system folder> for various purposes. Examples include the following:
dl.exe, a component that can download other files from a server and run them.
syslogon.exe, a component for mass mailing.
tutorial.zip, an archive file used by the worm as an e-mail attachment. This file contains the executable file tutorial.doc<multiple spaces>.exe.
ipdb.dll and jobdb.dll, files used by the worm to store information such as IP addresses, e-mail addresses, and e-mail server information that the worm gathers from the infected computer.
Cause itself to run automatically each time Windows starts, as in the following ways:
Create an entry in registry entry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Register itself as a service that has a misleading display name and description.
Disable security-related programs, as in the following ways:
Disable the Windows firewall by running a command-line script.
Install its own network driver to bypass other local firewalls.
Overwrite the Windows system hosts file, <system folder>\drivers\etc\hosts, to prevent access to security-related Web sites.
Terminate processes and delete files and registry entries.
Send a copy of itself as an e-mail attachment to addresses found on the infected computer. The e-mail sender is spoofed. The subject line and message body vary. The attachment may have a .zip extension or a double extension that is partly hidden to make it appear that opening the attachment is safe.
There may be no readily apparent indications that your computer is infected by Win32/Bagz. However, your computer may be infected by this worm if you detect any of the following symptoms:
The Windows firewall is disabled.
Other local firewalls are disabled.
Some security-related programs do not run normally.
The Windows system hosts file, <system folder>\drivers\etc\hosts, has been changed. This may block access to security-related Web sites.
Files such as the following are present in the Windows system folder: tutorial.doc<multiple spaces>.exe sqlssl.doc<multiple spaces>.exe dl.exe run32.exe syslongon.exe sysinfo32.exe ipdb.dll jobdb.dll wdate.dll tutorial.zip ndisrd.sys ndisapi.dll <system folder>\drivers\ndisrd.sys