Selected viruses, spyware, and other threats: sorted alphabetically
Win32/Bagle.C is an internet worm spreading in a form of an e-mail attachment.
The subject of the e-mail message is one of the following:
Daily activity report
Flayers among us
Freedom for everyone
Greet the day
Hardware devices price-list
Hello my friend
Looking for the report
Monthly incomings summary
Proclivity to servitude
USA government abolishes the capital punishment
Weekly activity report
You are dismissed
You really love me? he he
The attachment is a .ZIP file with random name. Its size is 15994 and it contains an executable file with a different random name.
Upon execution, the worm will drop these three files to the %sysdir% folder:
Then it adds the following entry into the system registry:
"gouday.exe" = "%sysdir\readme.exe"
To obtain e-mail addresses for its spreading, it searches all local drives for files with the following extensions:
and digs the addresses from them. It will not send itself to addresses which contain one of the following strings:
The worm contains a backdoor functionality. It opens a TCP port 2745, which allows remotely installing malicious programs. It connects to one of these addresses:
And sends out the port number and a random ID.
It tries to terminate the following programs:
The worm may open notepad.exe. Win32/Bagle.C deactivates itself on March 14th 2004.
The detection of Win32/Bagle.C is added since version 1.636.
Win32/Bagle.D is a minor modification of Win32/Bagle.C. The file names and e-mail message properties are the same.
The detection of Win32/Bagle.D is added since version 1.638.
Win32/Bagle.E is very similar to Win32/Bagle.C. The size of the
e-mail attachment varies. The worm appends binary data of random length to the
files it sends out.
It drops the following files to the %sysdir% folder:
It adds the following entry into the system registry:
"rate.exe" = "%sysdir\i1ru74n4.exe"
The e-mail message may contain a short body, randomly picked from the following list:
Everything inside the attach
Look it through
Also the list of addresses, to which the worm does not send itself has changed slightly:
The date of deactivation is March 25th 2004.
The detection of Win32/Bagle.D is added since version 1.639.
1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.