This is a mass-mailing worm with the following characteristics:
- contains its own SMTP engine to construct outgoing messages
- harvests email addresses from the victim machine
- the From: address of messages is spoofed
- contains a remote access component (notification is sent to hacker)
If you think that you may be infected with Bagle.c, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.
Note: top-level detection of the ZIP file is included within the DATs. This is to improve performance when scanning. Identifications of the top level detection will be reported as W32/Bagle.c!zip.
Messages are constructed as follows:
From : (address is spoofed)
Body : (Message body is empty)
- Accounts department
- Daily activity report
- Flayers among us
- Freedom for everyone
- From Hair-cutter
- From me
- Greet the day
- Hardware devices price-list
- Hello my friend
- Looking for the report
- Monthly incomings summary
- New Price-list
- Price list
- Proclivity to servitude
- Registration confirmation
- The account
- The employee
- The summary
- USA government abolishes the capital punishment
- Weekly activity report
- You are dismissed
- You really love me? he he
Attachment : randomly named binary within a .ZIP file (~16KB).
The EXE file within the ZIP archive uses the following icon, to make it appear that the file is an Excel file.
Like its predecessors, this worm checks the system date. If it is the 14th March 2004 or later, the worm simply exits and does not propagate.
Upon running the file, Notepad.exe is opened, with a blank window.
The virus copies itself into the Windows system directory as README.EXE, for example:
It also creates other files in this directory to perform its functions:
- onde.exe (18,944 bytes) - DLL to perform mailing
- doc.exe (1,536 bytes) - DLL loader
- readme.exeopen (~16KB) - ZIP to be sent via email
The following Registry key is added to hook system startup:
CurrentVersion\Run "gouday.exe" = C:\WINNT\SYSTEM32\README.EXE
Additionally, the following Registry keys are added:
- HKEY_CURRENT_USER\Software\DateTime2 "frun"
- HKEY_CURRENT_USER\Software\DateTime2 "uid"
- HKEY_CURRENT_USER\Software\DateTime2 "port"
A mutex called "imain_mutex" is created to ensure only one instance of the worm is running at a time.
This worm attempts to terminate the process of security programs with the the following filenames: