W32/Bagle-BK

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry for each user who ran the virus. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
sysformat
<Windows system folder>\sysformat.exe

and delete it if it exists.

Close the registry editor.

W32/Bagle-BK is an email and P2P worm.

W32/Bagle-BK will scan through an infected computer and send itself out as an email attachment to any email addresses found.

The emails have the following characteristics:

Subject line:

Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active

Message text:

Thanks for use of our software.
Before use read the help

Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Bagle-BK (detected as W32/Bagle-Gen) since version 3.86. W32/Bagle-BK is an email and P2P worm.

The dropper component of W32/Bagle-BK drops the main file to the Windows folder with the filename CJECTOR.EXE. The dropped component then copies itself to the Windows system folder with the filename SYSFORMAT.EXE. In order to run automatically each time a user logs in, W32/Bagle-BK periodically sets the following registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
sysformat
<Windows system folder>\sysformat.exe

W32/Bagle-BK also copies itself to folders on the infected computer which contain the string "shar" in the name, copying itself with the following filenames:

1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Opera 8 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
XXX hardcore images.exe

W32/Bagle-BK may also copy itself to the Windows system folder with the filenames SYSFORMAT.EXEOPEN and SYSFORMAT.EXEOPENOPEN.

W32/Bagle-BK attempts to delete entries in the registry located at

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

which have the following values, so as to disable other malware variants:

My AV
ICQ Net

W32/Bagle-BK attempts to disable services with the display name of "SharedAccess" or "wscsvc".

W32/Bagle-BK sets the following time-related registry entry:

HKCU\Software\Microsoft\Params\riga

W32/Bagle-BK attempts to download and execute a number of files from remote websites to RE_FILE.EXE in the Windows system folder. At the time of writing, these files were unavailable for download.

W32/Bagle-BK attempts to send itself via email to addresses harvested from files found on the infected computer with the following extensions:

WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, JSP

The emails have the following characteristics:

Subject line:

Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active

Message text:

Thanks for use of our software.
Before use read the help

Attached filename:

wsd01
viupd02
siupd02
guupd02
zupd02
upd02
Jol03

Attachment extension:

EXE
SCR
COM
CPL

W32/Bagle-BK will not send itself to addresses containing the following strings:

@avp., @foo, @iana, @messagelab, @microsoft, abuse, admin, anyone@, bsd, bugs@, cafee, certific, contract@, f-secur, feste, free-av, gold-certs@, google, help@, icrosoft, info@, kasp, linux, listserv, local, news, nobody@, noone@, noreply, ntivi, panda, pgp, postmaster@, rating@, root@, samples, sopho, spam, support, unix, update, winrar, winzip

W32/Bagle-BK attempts to terminate the following processes:

alogserv.exe, APVXDWIN.EXE, ATUPDATER.EXE, ATUPDATER.EXE, AUPDATE.EXE, AUTODOWN.EXE, AUTOTRACE.EXE, AUTOUPDATE.EXE, Avconsol.exe, AVENGINE.EXE, AVPUPD.EXE, Avsynmgr.exe, AVWUPD32.EXE, AVXQUAR.EXE, AVXQUAR.EXE, bawindo.exe, blackd.exe, ccApp.exe, ccEvtMgr.exe, ccProxy.exe, ccPxySvc.exe, CFIAUDIT.EXE, DefWatch.exe, DRWEBUPW.EXE, ESCANH95.EXE, ESCANHNT.EXE, FIREWALL.EXE, FrameworkService.exe, ICSSUPPNT.EXE, ICSUPP95.EXE, LUALL.EXE, LUCOMS~1.EXE, mcagent.exe, mcshield.exe, MCUPDATE.EXE, mcvsescn.exe, mcvsrte.exe, mcvsshld.exe, navapsvc.exe, navapsvc.exe, navapsvc.exe, navapw32.exe, NISUM.EXE, nopdb.exe, NPROTECT.EXE, NPROTECT.EXE, NUPGRADE.EXE, NUPGRADE.EXE, OUTPOST.EXE, PavFires.exe, pavProxy.exe, pavsrv50.exe, Rtvscan.exe, RuLaunch.exe, SAVScan.exe, SHSTAT.EXE, SNDSrvc.exe, symlcsvc.exe, UPDATE.EXE, UpdaterUI.exe, Vshwin32.exe, VsStat.exe, VsTskMgr.exe

W32/Bagle-BK contains a backdoor that can be used to run executable files sent to the infected machine.

Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Bagle-BK (detected as W32/Bagle-Gen) since version 3.86.