14 DAY TRIAL // One year after first revealing itself to the Internet and Inboxes all over the world, the Bagle worm strikes again with two new variations. Bagle.ax and Bagle.ay come disguised as e-mail delivery error messages and try to get the user to open them. Next thing they do is take down your entire defense system and disable numerous anti-virus and firewall products (including Windows XP SP2's Security Center) and opens a back door to PCs that listens on port 81, and is password encrypted. That allows the author of the worm to connect to PCs and let him or her execute programs.
The Bagle variants are polymorphic worms which spread by email under a number of different headers such as:
- Delivery service mail - Delivery by mail - Registration is accepted - Is delivered mail - You are made active
The text body includes some sort of thanks message for using some type of software or ""Before use read the help". In some cases text strings include "delivery service mail", "delivery by mail", "registration is accepted", "is delivered mail" and "you are made active".
Infected PCs will have the following files copied in the System folder:
- sysformat.exe - sysformat.exeopen - sysformat.exeopenopen.
Attachments of the infected email are an .EXE file with .com, .exe, .scr and .cpl extensions. More information on how to remove this virus can be found at BitDefender or at Symantec.