Win32/Bagif [Threat Name] go to Threat

Win32/Bagif.A [Threat Variant Name]

Category virus
Aliases Worm.Win32.Bagif.a (Kaspersky)
  W32/Bagif.gen.virus (McAfee)
  W32.Bagif (Symantec)
Short description

Win32/Bagif.A is a polymorphic file infector.

Installation

When executed, the virus creates the following files:

  • %temp%\­backup.gif
  • %system%\­ntloader.exe
  • "%startup%\­win32s.exe

The following Registry entry is set:

  • [HKEY_CLASSES_ROOT\­exefile\­shell\­open\­command]
    • "(Default)" = "%system%\­ntloader.exe "%1" %*"
Executable file infection

Win32/Bagif.A is a polymorphic file infector.


The virus searches for executables with one of the following extensions:

  • .exe
  • .scr

It avoids those with any of the following strings in their names:

  • EXPL
  • HL
  • UNRE

The virus uses the EPO (Entry Point Obscuring) infection technique.


The infiltration program code is invoked when the infected executable calls one of the following API functions:

  • ExitProcess (Kernel32.dll)
Spreading

The virus tries to copy itself into shared folders of machines on a local network.


It tries to copy itself in the following folders on a remote machine:

  • WINDOWS
  • WINNT
  • WIN95
  • WIN98
  • WINME
  • WIN2000
  • WIN2K
  • WINXP

The following filename is used:

  • tsoc32.exe
Other information

The virus contains the following text:

  • HI CHUNK OF SHIT !
  • IT'S ME
  • SUPRA VIRUS
  • BY GRIFIN
  • I HATE SCHOOL & USA
  • KILL 'EM ALL

Please enable Javascript to ensure correct displaying of this content and refresh this page.