Path : %SYSTEM%\drvsys.exe [ C:\Windows\System32\drvsys.exe]
type : Internet
Name : W32.Bagle.W@mm
Alias : I-Worm/Bagle.W, W32/Bagle.Z@MM
, Bagle.Y, W32/Bagle-W, WORM_BAGLE.X
level : Low
is the main component dropped by Bagle.W. It is a
mass mailing worm, uses e-mail addresses
collected from .wab, .txt, .htm, .html, .wab, .txt,
.msg, .htm, .xml, .dbx, .mdx, .eml, .nch, .mmf, .ods,
.cfg, .asp, .php, .pl, .adb, .tbb, .sht, .uin,
and .cgi files to distribute infected messages.
worm arrives as an e-mail attachment. The
infected attachment will be a password protected
ZIP file or an executable file. Bagle.W worm will
send pictures with infected mails.
When the worm file is
executed, it copies itself to Windows system
folder as "drvsys.exe" in the
background and displays the message "Can't
find a viewer associated with the file.".
It also copies itself as drvsys.exeopen, drvsys.exeopenopen.
W32.Beagle.W@mm modifies registry run section to
load automatically on the next startup. The
registry modification is given below.
By default, %SYSTEM% will be C:\Windows\System in
case of Windows 95/98/ME, C:\Winnt\System32 in
case of Windows NT/2000 and C:\Windows\System32
in case of Windows XP ]
Bagle.W searches C to Z
drives and copies itself to folders containing
the string "share" or "sharing".
This string search allows the worm to spread
using file sharing networks like KaZaA and imesh.
The worm uses following files names from the list
Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Porno Screensaver.scr Porno, sex, oral, anal cool,
Porno pics arhive, xxx.exe Serials.txt.exe
Windown Longhorn Beta Leak.exe Windows Sourcecode
XXX hardcore images.exe
Opera 8 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Matrix 3 Revolution English Subtitles.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Bagle.W worm uses its own
SMTP engine to send infected messages. The worm
tries to terminate security programs in the
infected system. Bagle.W contains backdoor
abilities and it opens TCP port 2535. It allows
hackers to upload files in the infected computer.
Bagle.W worm appeared on 26th April 2004.
How can I protect my
Solo has incorporated
drvsys.exe in its signature file to protect users
from this worm attack. Solo antivirus registered
users are already protected from this Worm. Make
sure that you have installed registered version
of Solo Antivirus to protect your system from all
to remove this Worm?
you are already infected with drvsys.exe process,
you can remove it from your computer using Solo
Antivirus software. Use the
following link to Download 30 day trial
version of Solo antivirus to remove
viruses from your computer.
Solo anti-virus not only
scans for all viruses, it contains a unique System
Integrity Checker to protect you from
New Internet Worms, Backdoors and
malicious VB, Java Scripts. It also
effectively removes all existing Internet Worms,
File viruses, malicious VB, Java scripts, Trojans,
Backdoors, boot sector, partition table and macro
purchase Solo antivirus using the link