Aliases: Worm.Win32.Bagif.n, W32/Bagif, W32/Bagif-A, Worm:Win32/Bagif_10090.A, Worm.Win32.Bagif.C
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 19 Feb 2003
Damage: Low

Characteristics: The W32.Bagif worm’s main method of spreading is thru copying its code to shared network drives. It is also reported to contain a viral code that can easily infect files with the .scr and .exe extensions.

More details about W32.Bagif

The W32.Bagif worm is a polymorphic virus that makes use of entry-point disguising techniques to complicate detection. Its infection method is similar to the W32/Etap virus and it uses a polymorphic engine that is similar to that of the W95/[email protected] program. When the W32.Bagif worm infects a computer system, it copies itself to drives with folder names Windows, Winnt, Win95, Win98, WinME, Win2000, Win2K and WinXP. Once the worm has located a folder with one of the said names, it will copy itself there with the filename TSOC32.EXE and then add the run=TSOC32.EXE to the Win.ini file found in the remote system. Once the W32.Bagif worm is run, either from another file it has infected or directly from the TSCO32.EXE file, it will create the file C:\ Windows\ NTLOADER.EXE. The worm will also create a certain registry key so that when any executable file is run, the worm will also run. It will likewise create the WIN32S.Exe file in the Startup folder.

The infection routine of the W32.Bagif worm starts with the worm unpacking a component of its malicious code into a portion of stack memory. This portion will be used by the worm for control functions. The worm’s unpacked code will then try to find the Kernel32.dll and then retrieve the locations of the 2 API functions from the DLL file. It will then allot a piece of memory and decrypt the primary component of its virus code into that piece and then pass control onto it. The primary component of the virus code will then specify every local disk for files with the .scr and .exe extension to infect.