Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32.Beagle.A@mm, Win32.Bagle.Gen@mm, I- Worm.Bagle.f
Type:Worm 
Size:~24.000 Bytes 
Origin: 
Date:02-29-2004 
Damage:Sent by email. 
VDF Version:6.24.00.27 
Danger:Low 
Distribution:Medium 

DistributionThe worm email has the following structure:

The subject consists in one of the following:
^_^ meay-meay!
Audra
Bad girl
beautiful
Caitie
ello! =))
Fotograf
Gallery photos
groom
Hey, dude, it's me ^_^ :P
Hey, ya! =))
Hi! :-)
Hokki =)
Juli
kate
My Name is Frenk
Katrina
Kelley
kleopatra
Mandy
Mary-Anne
My photos
Myphotos
Photoalbum
rebecca
Tammy
Wau... beautiful (-:
Weah, hello! :-)
Weeeeee! ;)))

The body is one of the following:
- Argh, i don't like the plaintext :)
- Fell free to chat with me I accept all ages. Don''''t worry I don''''t bite........hope to hear from you soon!
- Hey people whats goin on? If there is anything you want to know about me ask me... I am pretty easygoing I won't bite....not at first anywayz hahaa.....one thing I will say on here tho I am not into the Cyber thing so don't even ask.....Ciao...
- Hey, guys! by the way, I have no problems with my sexual life, so it's absolutly useless try to have icq sex or things like that. Thanks
- Hi! :-)
- Hi! My name is Shreya and I am a goof off!!! So, If you love the outdoors, travelling, books, music, movies, laffing, teasing and/or can poke fun at yourself... please come a hollerin'!!
- Hokki =)
- I am from Taiwan but I study in Camden, New Jersey now. I like to know people from different places .
- I enjoy clean conversations but am open to conversing with women and men with little ones as well. I am very open-minded. All authorization requests will be denied if I don't receive messages and get to know you first.
- I like to be in a company of smart, delicate, and with a good sense of humor people. I am Bulgarian, currently getting my Master's in International Business in USA. Favorite actor: Michael Dudikoff
- I love camping, dirt track racing, going for walks, and I have 2 cats - HotRod and Deebo (named from the movie 'Friday' and he lives up to it!). Life is ever changing, never always easy...
- I love meeting new people and making new friends. I am a Mary Kay Beauty Consultant. I am married to a wonderful man. We have no children, exept for a minature schnauzer that thinks he is a child. Looking forward to meeting you.
- I love to dance, read poetry, make people laugh, and hug as many people a day as i can.
- If I'm online, it problably means I'm pretty bored....so feel free to message me and say hi or whatever else comes to mind at the moment.
- I'm a social butterfly and a natural flirt. Very hard to get my complete attention. Very open and will answer almost anything. But please don't piss me off. I can be sweet and cuddly or a whatever mood I am in that day so everyday
- I'm an open minded person and enjoy chatting w/ other people. I'm free and willing to chat about anything. So feel free to Imed me if you wanna chat.
- I'm married and I stay at home. And I don't do cyber sex so leave me the fuck alone
- i'm tall and skiny I'm studying in Pharm. D program in FL. i like music, movie, dancing, sports, SCUBA diving, traveling and make a lot friends.
- Looking forward for a response :P
- Love the outdoors, literature, writing, and athletics
- My hobbies include crochet, sewing, painting lead figures and playing AD&D. Favorite activities include fishing and camping. I love cats, unicorns(go figure), and fantasy in general.
- Nice friends, nice men, nice sex and feeling great. I don't mind the odd bout of cybersex as I love to use my imagination when I masterbate.
- Single Mom of 3, Full time college student, Graduate in December with an Associates of Applied Science in Computer Information Systems Love the internet.
- When The Trust is Gone So Is The Love That Fades Like the Rain Washing Away All The Sorrows Of Yesterday Why I Ask Myself Must It End Like This Tomorrow, I Tell Myself, I'll Be Okay For Now, I'll Just Live In The Memories Of Our Life Together
- You don t know what you ve got till it s gone *You hurt me more than I deserve, how can you be so cruel? I love you more than you deserve, how can I be such a fool?

If the file is a password-protected ZIP archive, the last line in the email body is:
-password for archive:
-pass:
-password:
-archive password:

The attachment's name is one of the following, with extension .exe, .scr or .zip:
Aline
Anna
Audra
Bad girl
Barbi
Caitie
caroline
Gallery
It_I
Jammie
Juli
Julie
kate
Kelly
kleopatra
LisaMandy
Mary-Anne
myfotos
Photoalbum
Photomontage
Picture
Rana
rebecca
Sarah
Tammy
stacy

Technical DetailsWorm/Bagle.F has a variable file size of ~24000 Bytes. The file is packed with PEX. The email attachment is a ZIP archive or even the executable program . If this is opened, the worm copies itself in Windows System with the name i1ru74n4.exe and creates the following files:
go54o.exe (24.064 Bytes)
ii5nj4.exe (1.536 Bytes)
i1ru54n4.exeopen (ZIP Archiv ~23KB)

The worm searches for email addresses and sends itself to them. It forges the sender's address in:

*.wab
*.txt
*.htm
*.html
*.dbx
*.mdx
*.eml
*.nch
*.mmf
*.ods
*.cfg
*.asp
*.php
*.pl
*.adb
*.sht

If the email address contains one of the following strings, no email is sent:
@avp
@hotmail.com
@microsoft
@msn.com
local
noreply
postmaster@
root@

The sender's address is faked and the attachment has a random name and .ZIP extension. The ZIP archive is possibly password-protected. The arbitrary password is written in the email.

This version of Bagle also sends executable program files with extension .scr or .exe.
The worm also tries to spread over P2P exchange and makes copies of itself in the following directories:

%Program Files%\bearshare\
%Program Files%bearshare\shared\
%Program Files%Common Files\Microsoft Shared\
%Program Files%kazaa\my shared folder\
%Program Files%KaZaA Lite\my shared folder\
%Program Files%morpheus\my shared folder\

In all these directories, the following files are created:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
shared
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

The following registry entries are made, too:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]"rate.exe"="C:\\WINDOWS\\System32\\i1ru54n4.exe" [HKEY_CURRENT_USER\Software\winword]"frun"=dword:00000001

If the worm detects the following processes, it terminates them:
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .