bawindo.exe

What is it?
bawindo.exe is a file associated with the W32.Beagle.AR@mm mass-mailing worm

What does it do?
W32.Beagle.AR@mm is a mass-mailing worm that uses its own SMTP engine to spread. The email attachment is a downloader, similar to the Mitglieder family of Trojans, that downloads the worm from an external source.

When the w32.Beagle.AR@mm worm is executed it:

Creates the following files:

%System%awindo.exe.
%System%awindo.exeopen
%System%awindo.exeopenopen
%System% e_file.exe

Adds a value:

"bawindo"="%System%awindo.exe" to the registry key: HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun

deletes some registry values from the registry keys: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunAttempts to create copies of itself in any folder that contains the characters "shar". The files will have the following file names:

• Microsoft Office 2003 Crack, Working!.exe
• Microsoft Windows XP, WinXP Crack, working Keygen.exe
• Microsoft Office XP working Crack, Keygen.exe
• Porno, sex, oral, anal cool, awesome!!.exe
• Porno Screensaver.scr
• Serials.txt.exe
• KAV 5.0
• Kaspersky Antivirus 5.0
• Porno pics arhive, xxx.exe
• Windows Sourcecode update.doc.exe
• Ahead Nero 7.exe
• Windown Longhorn Beta Leak.exe
• Opera 8 New!.exe
• XXX hardcore images.exe
• WinAmp 6 New!.exe
• WinAmp 5 Pro Keygen Crack Update.exe
• Adobe Photoshop 9 full.exe
• Matrix 3 Revolution English Subtitles.exe
• ACDSee 9.exe

More info and Removal
@symantec