WORM_BAGZ.A

WORM_BAGZ.A is a memory-resident, mass-mailing worm which uses SMTP (Simple Mail Transfer Protocol) to propagate. It arrives as an attachment to an email with a spoofed From field and varying subjects, message bodies, and attachment file names. This non-destructive worm also drops multiple components in the Windows system folder upon execution. It runs on Windows 95, 98, ME, NT, 2000 and XP, and is currently spreading in-the-wild.

Upon execution, this worm drops the following files in the Windows system folder: DRIVERS\NDISRD.SYS DL.EXE – downloads and executes a file from a remote site; IPDB.DLL; JOBDB.DLL; NDISAPI.DLL; NDISRD.SYS; SYSLOGIN.EXE – a mass-mailing component of this worm; TUTORIAL.DOC<numerous space characters>.EXE – a copy of this worm; TUTORIAL.ZIP - a .ZIP archive that contains the file; TUTORIAL.DOC<numerous space characters>.EXE

It also adds a registry entry that allows it to automatically execute at every system startup, and uses Simple Mail Transfer Protocol (SMTP) to send multiple copies of itself. It arrives on a system as an attachment to an email with following details: {See the site tech-details for details of message body, subject, attachment}.

If you would like to scan your computer for WORM_BAGZ.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_BAGZ.A is detected and cleaned by Trend Micro pattern file 2.189.04 and above.