Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Aliases: W32.Beagle.CG@mm (Symantec), Win32.Bagle.DQ@mm (Bitdefender), Email-Worm.Win32.Bagle.dq (Kaspersky), W32/Bagle.EW.worm (Panda)
Type: Worm
Systems Affected: 32-bit Windows


Win32/Bagle.CT is a 31348 byte, typical mass-mailing worm that is runtime compressed. This threat contains a trojan component and tries to send this trojan via mass-mailing functionality.

Installation and Autostart Techniques:

Upon execution the worm copies itself into the %System% folder as "windll2.exe".

Note: %System% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

The worm adds the following keys to the registry:

"erthegdr" = "%System%/windll2.exe"

"erthegdr" = "%System%/windll2.exe"

"Ru1n" is only an infection marker, it will NOT reload the worm upon next system start.

Win32/Bagle.CT also scans for the following registry keys:


and tries to delete these keys if they are present:

"My AV", "Zone Labs Client Ex", "9XHtProtect", "Antivirus", "Special Firewall Service", "service", "Tiny AV", "ICQNet", "HtProtect", "NetDy", "Jammer2nd", "FirewallSvr", "MsInfo", "SysMonXP", "EasyAV", "PandaAVEngine",
"Norton Antivirus AV", "KasperskyAVEng", "SkynetsRevenge", "ICQ Net"

Mutex Creation to Prevent Netsky Worms from Working

The worm creates the following NetSky worm mutexes:


to prevent several Netsky Worm versions from running.

Automatic Deactivation:

If the current System date is the 23 September 2006 the worm tries to delete the following registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n\ erthegdr

After successfully removing these keys, the worm will terminate itself on this date or later.

Illustration of the time checking in the bagle worm.

Downloading Component:

The worm tries to download the following files:


and tries to store this file as "EML.EXE".

E-mail Sender:

The sender email addresses are spoofed and may appear to be sent by a familiar source.
This worm uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of the embedded trojan.

The worm will not send to email addresses which containing any of the following strings:

@eerswqe @derewrdgrs @microsoft rating@ f-secur news update anyone@ bugs@ contract@ feste gold-certs@ help@ info@ nobody@ noone@ kasp admin icrosoft
support ntivi unix bsd linux listserv certific sopho @foo @iana free-av @messagelab winzip
google winrar samples abuse panda cafee spam pgp @avp. noreply local root@ postmaster@

E-mail Subjects:

E-mail subject lines are empty.

Message Body:

The E-mail message body contains one of the following texts:

new price
The password is

E-mail Attachments:

The worm attaches the Trojan with one of the following file names:

Backdoor Component:

The worm also provides backdoor functionality on Port 80 (TCP/IP)

Other Details:

The worm uses IP as DNS Server, a Russian telecom server. (

History: Analysis and Write-up by: Michael St. Neitzel