Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32.Beagle.H@mm, Win32.Bagle.Gen@mm, I- Worm.Bagle.H
Type:Worm 
Size:~21.000 Bytes 
Origin: 
Date:03-01-2004 
Damage:Sent by email. 
VDF Version:6.24.00.32 
Danger:Low 
Distribution:Medium 

DistributionThe sender's address is faked and the attachment has a random file name and .zip extension. The ZIP archive is probably password-protected, and the arbitrary password is written in the email.
The subject is chosen out of the following:
:)
:)
:-)
^_^ meay-meay!
^_^ mew-mew (-:
ello! =))
Hey, dude, it's me ^_^ :P
Hey, ya! =))
Hi! :-)
Hokki =)
Weah, hello! :-)
Weeeeee! ;)))

The email body is one of the following:

Argh, i don't like the plaintext :)
I don't bite, weah!
Looking forward for a response :P
Argh, i don't like the plaintext :)
Argh, i don't like the plaintext :)
I don't bite, weah!
Looking forward for a response :P

The worm can insert a number of empty spaces between the words, to change the aspect.
If the attachment is a password-protected ZIP archive, the last line in the email body is:

- ...btw, "%arbitrary numbers%" is a password for archive
- archive password: %arbitrary numbers%
- password: %zarbitrary numbers%
- password -- %arbitrary numbers%
- pass: %arbitrary numbers%
- %arbitrary numbers% -- archive password

The attachment can have one of the following names:
Attach.zip
AttachedDocument.zip
AttachedFile.zip
Document.zip
Info.zip
Letter.zip
Message.zip
MoreInfo.zip
Msg.zip
MsgInfo.zip
Readme.zip
Text.zip
TextFile.zip

Technical DetailsWorm/Bagle.F has a variable file size of ~24000 Bytes. The file is packed with PEX. The email attachment is a ZIP archive or even an executable program . If this is opened, the worm copies itself in Windows System with the name i11r54n4.exe (~21.000 Bytes) and creates the following files:
go54o.exe (24.064 Bytes)
ii5nj4.exe (1.536 Bytes)
i1ru54n4.exeopen (ZIP file ~21.000 Bytes)

The worm searches for email addresses and sends itself to them. It forges the sender's address in:

*.wab
*.txt
*.htm
*.html
*.dbx
*.mdx
*.eml
*.nch
*.mmf
*.ods
*.cfg
*.asp
*.php
*.pl
*.adb
*.sht

If the email address contains one of the following strings, no email is sent:
@avp
@hotmail.com
@microsoft
@msn.com
local
noreply
postmaster@
root@


The following registry entries are made:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]"rate.exe"="C:\\WINDOWS\\System32\\i11r54n4.exe" [HKEY_CURRENT_USER\Software\winword]"frun"=dword:00000001

If the worm detects the following processes, it terminates them:
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE

The worm loads one of the following websites:
http://postertog.de/scr.php
http://www.gfotxt.net/scr.php
http://www.maiklibis.de/scr.php
Açıklamayı yerleştiren Crony Walker tarihinde 15 Haziran 2004 Salı

Geri . . . .
https:// Bu pencere güvenlik amacıyla şifrelenmiştir.