Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement



Process Name  : winupd.exe

Process Path : %SYSTEM%\winupd.exe [ C:\Windows\System32\winupd.exe]

Process type    : Internet Worm

Malware Name : W32.Bagle.M@mm

Alias             : I-Worm/Bagle.N, W32/Bagle.N@MM , Bagle.N, W32/Bagle-N,  WORM_BAGLE.N 

Threat level : Low

Process Details :

                    Winupd.exe is the main component dropped by Bagle.N. It is a mass mailing worm, uses e-mail addresses collected from .wab, .txt, .htm, .html, .wab, .txt, .msg, .htm, .xml, .dbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .pl, .adb, .tbb, .sht, .uin, and .cgi files to distribute infected messages. Bagle worm arrives as an e-mail attachment. The infected attachment will be a password protected ZIP file or an executable file with PIF extension. 

The infected mail from address will be one of the following

management@< domain name >
administration@< domain name > 
staff@< domain name >
noreply@< domain name > 
support@< domain name > 

The infected mail subject will be one of the following

E-mail account security warning.
Notify about using the e-mail account.
Warning about your e-mail account.
Important notify about your e-mail account.
Email account utilization warning.
Notify about your e-mail account utilization.
E-mail account disabling warning. 

The infected mail message body will contain one of the following

"Our main mailing server will be temporary unavaible for next two days, 
to continue receiving mail in these days you have to configure our free
auto-forwarding service."

"Your e-mail account will be disabled because of improper using in next
three days, if you are still wishing to use it, please, resign your
account information."

"We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions."

"Our antivirus software has detected a large ammount of viruses outgoing  from your email account, you may use our free anti-virus tool to clean up your computer software."

"Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions."

                     When the worm file is executed, it copies itself to Windows system folder as "winupd.exe" in the background. It also copies itself as winupd.exeopen, winupd.exeopenopen.  W32.Beagle.N@mm modifies registry run section to load automatically on the next startup. The registry modification is given below.

"winupd.exe"= %SYSTEM%\winupd.exe

[ By default, %SYSTEM% will be C:\Windows\System in case of Windows 95/98/ME, C:\Winnt\System32 in case of Windows NT/2000 and C:\Windows\System32 in case of Windows XP ]

                    Bagle.N searches C to Z drives and copies itself to folders containing the string "share" or "sharing". This string search allows the worm to spread using file sharing networks like KaZaA and imesh. The worm uses following files names from the list

Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Porno Screensaver.scr Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe Serials.txt.exe
Windown Longhorn Beta Leak.exe Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Opera 8 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Matrix 3 Revolution English Subtitles.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
ACDSee 9.exe

                    Bagle.N worm uses its own SMTP engine to send infected messages. The worm tries to terminate security programs in the infected system. Bagle.K contains backdoor abilities and it opens TCP port 2556. It allows hackers to upload files in the infected computer. Bagle.N worm appeared on 15th March 2004.

How can I protect my system?

                   Solo has incorporated winupd.exe in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this Worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this Worm?

                   If you are already infected with winupd.exe process, you can remove it from your computer using Solo Antivirus software. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link