W32/Bagle-B is a worm that spreads using email. W32/Bagle-B arrives in a message with the following characteristics: Subject line: ID <random characters>... thank Message text: Yours ID <random characters> -- Thank Attached file: <random_file_name>.exe The address of the sender is spoofed. When the attached infected file is run W32/Bagle-B copies itself into the Windows system folder as au.exe and changes creates a new registry entry so that the worm file is run during the Windows startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ au.exe = <windows system folder>\au.exe
When the filename of the launched file is not au.exe the worm attempts to launch the Windows sound recorder application sndrec32.exe. W32/Bagle-B searches all fixed drives recursively for the files with the extension WAB, TXT, HTM and HTML. The files are used to extract the email addresses that are later used to fill in the sender and recipient fields of the email message. W32/Bagle-B opens a TCP port 8866 and listens for connections. The backdoor may be used for updating of the worm. W32/Bagle-B will connect to the websites www.47df.de, www.strato.de and intern.games-ring.de and submit the information about the listening port and the randomly generated infection ID. W32/Bagle-B uses the registry key HKCU\Software\Windows2000 to store some other data values (like the randomly created ID). The registry values used are gid and frn. The worm will stop spreading after 25 February 2004.