Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Bagle.C

Win32/Bagle.C is an internet worm spreading in a form of an e-mail attachment.

The subject of the e-mail message is one of the following:

Accounts department
Ahtung!
Camila
Daily activity report
Flayers among us
Freedom for everyone
From Hair-cutter
From me
Greet the day
Hardware devices price-list
Hello my friend
Hi!
Jenny
Jessica
Looking for the report
Maria
Melissa
Monthly incomings summary
New Price-list
Price
Price list
Price-list
Pricelist
Proclivity to servitude
Registration confirmation
The account
The employee
The summary
USA government abolishes the capital punishment
Weekly activity report
Well...
You are dismissed
You really love me? he he

The attachment is a .ZIP file with random name. Its size is 15994 and it contains an executable file with a different random name.

Upon execution, the worm will drop these three files to the %sysdir% folder:

doc.exe
onde.exe
readme.exe

Then it adds the following entry into the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"gouday.exe" = "%sysdir\readme.exe"

To obtain e-mail addresses for its spreading, it searches all local drives for files with the following extensions:

.adb
.asp
.cfg
.dbx
.eml
.htm
.html
.mdx
.mmf
.nch
.ods
.php
.pl
.sht
.txt
.wab

and digs the addresses from them. It will not send itself to addresses which contain one of the following strings:

.ch
@avp.
@hotmail.com
@microsoft
@msn.com
local
noreply
postmaster@
root@

The worm contains a backdoor functionality. It opens a TCP port 2745, which allows remotely installing malicious programs. It connects to one of these addresses:

http://permail.uni-muenster.de/scr.php
http://www.songtext.net/de/scr.php
http://www.sportscheck.de/scr.php

And sends out the port number and a random ID.
It tries to terminate the following programs:

ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE

The worm may open notepad.exe. Win32/Bagle.C deactivates itself on March 14th 2004.

The detection of Win32/Bagle.C is added since version 1.636.

Win32/Bagle.D

Win32/Bagle.D is a minor modification of Win32/Bagle.C. The file names and e-mail message properties are the same.

The detection of Win32/Bagle.D is added since version 1.638.

Win32/Bagle.E

Win32/Bagle.E is very similar to Win32/Bagle.C. The size of the e-mail attachment varies. The worm appends binary data of random length to the files it sends out.
It drops the following files to the %sysdir% folder:

i1ru74n4.exe
godo.exe
ii455nj4.exe

It adds the following entry into the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"rate.exe" = "%sysdir\i1ru74n4.exe"

The e-mail message may contain a short body, randomly picked from the following list:

Cya
Empty
Everything inside the attach
Look it through
Request
Response
Subj

Also the list of addresses, to which the worm does not send itself has changed slightly:

.gr
@avp.
@hotmail.com
@microsoft
@msn.com
local
noreply
postmaster@
root@

The date of deactivation is March 25th 2004.

The detection of Win32/Bagle.D is added since version 1.639.