Full Version of this article can be found here

syslogin.exe

syslogin.exe

What is it?
syslogin.exe is a file associated with the W32.Bagz@mm worm.

What does it do?
W32.Bagz@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses gathered from the infected computer.

When W32.Bagz@mm is executed, it does the following:
  1. Creates the following copy of itself:

    %System% utorial.doc <spaces> .exe

    Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
  2. Adds the value:

    "syslogin.exe" = "syslogin.exe"

    to the registry key:

    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

    so that the worm is executed every time Windows starts.
  3. Creates the following files:
    • %System%dl.exe
    • %System%syslogin.exe
  4. Disables the Windows firewall.
  5. Downloads and executes remote files.
  6. Installs its own network driver to bypass local firewalls.
Removal
@symantec