Welcome to the Virus Encyclopedia of Panda Security.
Bagle.AM carries out the following actions:
The EXE file hidden in the ZIP file creates the following files in the Windows system directory:
The EXE file downloaded from the websites creates the files WINDLL.EXE, WINDLL.EXEOPEN and WINDLL.EXEOPENOPEN in the Windows system directory. These files are copies of the worm, and are 19,460 bytes in size.
The EXE file hidden in the ZIP file creates the following entries in the Windows Registry:
The EXE file downloaded from the Internet creates the following entries in the Windows Registry:
Bagle.AM deletes from the following paths in the Windows Registry:HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunHKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
all the entries with any of the following names:
9XHtProtectAntivirusEasyAVFirewallSvrHtProtectICQ NetICQNetJammer2ndKasperskyAVEngMsInfoMy AVNetDyNorton Antivirus AVPandaAVEngineserviceSkynetsRevengeSpecial Firewall ServiceSysMonXPTiny AVZone Labs Client Ex
These entries belong to several variants of the worm Netsky.
Bagle.AM spreads via email and through peer-to-peer (P2P) file sharing programs.
1.- Transmission via email.
Bagle.AM follows the routine below:
2.- Transmission through P2P file sharing programs.
The fake JPG file downloaded from the Internet is compressed with modified PeX.