W32/Bagle.CX is an email worm. The worm will infect Windows systems and spreads through email.

The subject of the infected mail will be:

New 2006
New Year's
New Year's Day.
Happy New Year
We congratulate happy New Year

The body of the infected mail will be any one of the following:

The password is
Password:

The infected attachment will be any one of the following;

Wynnefreede.zip
Wynefreed.zip
Wynefrede.zip
Winifred.zip
William.zip
Valentyne.zip
Thomas.zip
Syndony.zip
Sybyll.zip
Sybell.zip
Suzanna.zip
Susanna.zip
Susanna.zip
Susan.zip
Stephen.zip
Sindony.zip
Sidney.zip
Sara.zip
Samuell.zip
Rycharde.zip
Rose.zip
Roger.zip
Roberte.zip
Robert.zip
Richarde.zip
Richard.zip
Rebecka.zip
Ralph.zip
Peter.zip
Nycholas.zip
Nicholaus.zip
Nicholas.zip
Nathanyell.zip
Nathaniell.zip
Nathaniel.zip
Mychaell.zip
Michael.zip
Marye.zip
Mary.zip
Martha.zip
Marie.zip
Margrett.zip
Margret.zip
Margerye.zip
Margerie.zip
Margarett.zip
Margaret.zip
Leonarde.zip
Leonard.zip
Katheryne.zip
Katherine.zip
Judithe.zip
Judith.zip
Judeth.zip
Josias.zip
John.zip
John.zip
Johen.zip
Joane.zip
Jeffrye.zip
Jeffrey.zip
Jeames.zip
Jane.zip
James.zip
Isabell.zip
Isabel.zip
Humphrie.zip
Humphrey.zip
Hughe.zip
Henrye.zip
Henry.zip
Henrie.zip
Harrye.zip
Harry.zip
Grace.zip
George.zip
Geoffraie.zip
Gabriell.zip
Fraunces.zip
Francis.zip
Francis.zip
Frances.zip
Ester.zip
Emanuell.zip
Emanuel.zip
Emanual.zip
Ellyn.zip
Ellen.zip
Elizabethe.zip
Elizabeth.zip
Edwarde.zip
Edward.zip
Edmund.zip
Edmonde.zip
Edmond.zip
Dorothy.zip
Dorothee.zip
Dorithie.zip
Danyell.zip
Daniel.zip
Daniel.zip
Cybil.zip
Constance.zip
Christian.zip
Christean.zip
Bennett.zip
Bennet.zip
Avis.zip
Avice.zip
Anthonye.zip
Anthony.zip
Anthonie.zip
Annes.zip
Anne.zip
Anna.zip
Ann.zip
Androwe.zip
Androw.zip
Andrew.zip
Alyce.zip
Alice.zip
Ales.zip

The attached zip file contains a copy of W32/Bagle.CX Trojan.

Upon execution of the infected attachment, the worm copies itself as WIND2LL2.EXE in the Windows system folder.

The worm creates the registry entries at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n

It also creates several mutex to ensure only one instance of the worm is running. It also terminates some variants of W32/Netsky.

AdmSkynetJklS003
____--->>>>U<<<<--____
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
vMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D

The worm also tries to terminate the processes of security related softwares.

This worm first appeared on December 15, 2005. .

 Other names of W32/Bagle.CX Worm:

This Worm is also known as W32.Beagle.CX@mm, WORM_BAGLE.CD .