Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32.Beagle.C@mm; W32/Bagle.c@MM; W32/Bagle.C; I-Worm.Bagle.C
Type:Worm 
Size:8,160 bytes or 15,872 bytes 
Origin:unknown 
Date:02-28-2004 
Damage:Sends itself as email 
VDF Version:6.24.00.23 
Danger:Low 
Distribution:High 

General DescriptionThis worm sends itself, like its predecessors, to email addresses found on the infected system.

Symptoms* Open TCP port 2745
* Presence of the mentioned registry entries
* Presence of the mentioned files
* Increased email traffic

Distribution* Sends itself via email using its own smtp engine

Technical DetailsWorm/Bagle.C has a file size of 15.872 bytes (UPX packed) or 28,160 bytes. The attachment of the email is a ZIP archive with a size of 15.994. It copies itself into the Windows folder as:

* readme.exe

and creates the following additional files:

* onde.exe
* doc.exe
* readme.exeopen (ZIP file of 15.994 bytes)

It scans files with the following file extensions on all local drives for email addresses, to which it will send itself after that (using a spoofed address):

* wab
* txt
* htm
* html
* dbx
* mdx
* eml
* nch
* mmf
* ods
* cfg
* asp
* php
* pl
* adb
* sht

The worm will not send mails to the addresses containing any of the following strings:

* @avp
* @hotmail.com
* @microsoft
* @msn.com
* local
* noreply
* postmaster@
* root@

The sender address is spoofed and the attachment has a random file name with the extension "zip". The email contains an empty body. The subject is randomly selected from the following:

* Accounts department
* Ahtung!
* Camila
* Daily activity report
* Flayers among us
* Freedom for everyone
* From Hair-cutter
* From me
* Greet the day
* Hardware devices price-list
* Hello my friend
* Hi!
* Jenny
* Jessica
* Looking for the report
* Maria
* Melissa
* Monthly incomings summary
* New Price-list
* Price Price list
* Pricelist
* Price-list
* Proclivity to servitude
* Registration confirmation
* The account
* The employee
* The summary
* USA government abolishes the capital punishment
* Weekly activity report
* Well...
* You are dismissed
* You really love me? he he

In addition the following entries will be added to the Windows Registry:

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run]
"gouday.exe"="C:\\WINDOWS\\System32\\readme.exe"


* [HKEY_CURRENT_USER\Software\DateTime2]
"uid"="38693112"
"port"=dword:00000ab9
"frun"=dword:00000001

It will try to terminate also any of the following processes, if these are running:

* ATUPDATER.EXE
* ATUPDATER.EXE
* AUPDATE.EXE
* AUTODOWN.EXE
* AUTOTRACE.EXE
* AUTOUPDATE.EXE
* AVLTMAIN.EXE
* AVPUPD.EXE
* AVWUPD32.EXE
* AVXQUAR.EXE
* CFIAUDIT.EXE
* DRWEBUPW.EXE
* ICSSUPPNT.EXE
* ICSUPP95.EXE
* LUALL.EXE
* MCUPDATE.EXE
* NUPGRADE.EXE
* NUPGRADE.EXE
* OUTPOST.EXE
* UPDATE.EXE
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .