Type Mass mailer worm
Date Discovered 2004.10.04
Place of Origin
Source Language
Platform MS Windows
File Type(s) .exe, .dll, .zipoill
Infection Length 253,958 bytes
Reported Costs

Bagz is a family of mass mailer worms that appeared in the fall of 2004.


Bagz arrives in an email with a spoofed sender line. The subject line will be one of 32 possible lines and the message will be from one of about 10 possible message bodies. The attachment will have one of 37 possible names, 19 of which have a fake .doc extension, followed by a number of spaces and then .exe, and the rest will have a .zip extension.

When executed, Bagz drops three files in the Windows system folder, syslogin.exe, dl.exe, and tutorial.doc[several spaces].exe. To ensure the worm runs every time Windows starts, it adds the value "syslogin.exe" = "syslogin.exe" to the local machine run key.

Bagz then begins to compromise the system's security. It Disables the Windows firewall and installs its own network driver to bypass any other local firewalls. It also downloads and executes remote files.

The worm then begins preparing to send its emails. Bagz creates the temporary files jobdb.dll, ipdb.dll, and wdate.dll in the system folder. It searches for files on the system with the extensions .txt, .htm, .dbx, .tbi, and .tbb, extracts any email addresses from them and places them in the temporary files, along with the IP address of the local computer and the email gateway. It has its own SMTP engine for sending copies of itself.


Bagz produced a few variants of note. Most were almost identical to the original.


Bagz.D drops 39 files in the system folder (all copies of the worm and all the possible attachment names). It blocks over 60 web addresses, all belonging to security software vendors. It also deletes a number of processes and registry keys associated with antivirus software. It avoids sending infected emails to addresses with certain strings, suggesting its creator was trying to avoid certain software companies, particularly antivirus vendors.


Bagz does not appear to have caused any significant damage or been involved in a major incident at any one location. It did however make some charts for most popular malware. For 2004, it was the 4th most common, accounting for 5.5% of malware incidents. By April of the next year, it had fallen to spot 10.


Candid Wueest. Symantec, W32.Bagz@mm. 2007.02.13

-. -, W32.Bagz.B@mm.

Takayoshi Nakayama. -, W32.Bagz.D@mm. 2007.02.13

Jay Geater. Solvusoft, How to Remove W32/Bagz.A@mm. 2013.03.23

Kaspersky Lab., [,email_worm_win32_bagz_a.html Email-Worm.Win32.Bagz.a.]

ZDNet, Virus-infected e-mail down 30%, phishing down 45% in April 2005. 2005.05.02

CNet Japan, 2004年の国内ウイルス被害、Netskyが1年を通してワースト1.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License