W32/Bagle-G

Please follow the instructions for removing W32/Bagle-G.

NOTE: W32/Bagle-G may send itself as a password protected ZIP file that is detected as W32/Bagle-Zip.

W32/Bagle-G is an email worm which sends itself via its own SMTP engine to addresses harvested from your hard disk.

W32/Bagle-G also spreads via peer-to-peer shared folders.

The worm copies itself to the Windows system folder as I1RU54N.EXE and creates the following files in the same folder:

II5NJ4.EXE - a DLL plugin used to load GO54O.EXE
GO54O.EXE - the main DLL component of the worm
I1RU54N4.EXEOPEN - an exact copy of the worm or a copy of the worm in ZIP format (the ZIP may be password protected)

II5NJ4.EXE is detected by Sophos as W32/Bagle-F.

W32/Bagle-G adds the value:

rate.exe = <SYSTEM>\i1ru54n4.exe

to the registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This means that W32/Bagle-G runs every time you logon to your computer.

W32/Bagle-G also creates the following registry entry:

HKCU\Software\winword\frun=1

Emails have the following characteristics:

Subject lines:

Hokki =)
Weah, hello! :-)
Weeeeee! :)))
Hi! :-)
My Name is Frenk
groom
Fotograf
Photoalbum
My photoalbum
Myphotos
My photos
My beautiful person
beautiful
Wau... beautiful (-:
Gallery photos
caroline
Katrina
kleopatra
Caitie
Mary-Anne
Lisa
Bad girl
Julie
Aline
Anna
Barbi
Katrina
Juli
Mary
Mandy
Sara
rebecca
Jammie
kate
Audra
stacy
Rena
Kelley
Tammy
ello! =))
Hey, ya! =))
^_^ meay-meay!
^_^ meay-meay!
^_^ mew-mew (-:
Hey, dude, it's me ^_^ :P

Message texts:

Argh, i don't like the plaintext :)
Fell free to chat with me I accept all ages. Don't worry I don't bite........
hope to hear from you soon!

If you are going to make me cry, at least be there to wipe away the tears
*Right now the worst thing for you to tell me that I can find someone better
thanyou, especially when you are all I want

You don't know what youÆve got till it's gone *You hurt me more than I
deserve, how can you be so cruel? I love you more thanyou deserve, how can
I be such a fool?

I sit with elders of a gentle race, whose world is seldom seen.Who sit and
talk of days for which they wait, when all will be revealed. These are song
lyrics.

I'm a social butterfly and a natural flirt. Very hard to get my complete
attention. Very open and will answer almost anything. But please don't piss
me off.I can be sweet and cuddly or a whatever mood I am in that day so
everyday

Love the outdoors, literature, writing, and athletics

When The Trust is Gone So Is The Love That Fades Like the Rain Washing Away
All The Sorrows Of Yesterday Why I Ask Myself Must It End Like This
Tomorrow, I Tell Myself, I'll Be Okay For Now, I'll Just Live In The
Memories Of Our Life Together

I enjoy clean conversations but am open to conversing with women and men
with little ones as well. I am very open-minded. All authorization requests
will be denied if I don't receive messages and get to know you first.

I love camping, dirt track racing, going for walks, and I have 2 cats -
HotRod and Deebo (named from the movie 'Friday' and he lives up to it!).Life
is ever changing, never always easy...

i love to chat to just about anyone!!

If I'm online, it problably means I'm pretty bored....so feel free to message
me and say hi or whatever else comes to mind at the moment.

Hey people whats goin on? If there is anything you want to know about me ask
me... I am pretty easygoing I won't bite....not at first anywayz hahaa.....
one thing I will say on here tho I am not into the Cyber thing so don't even
ask.....Ciao...

Hi! My name is Shreya and I am a goof off!!! So,If you love the outdoors,
travelling, books, music, movies, laffing, teasingand/or can poke fun at
yourself... please come a hollerin'!!

I love to dance, read poetry, make people laugh, and hug as many people a
day as i can.

Single Mom of 3,Full time college student, Graduate in December with an
Associates of Applied Science in Computer Information Systems Love the
internet.

My hobbies include crochet, sewing, painting lead figures and playing AD&D.
Favorite activities include fishing and camping. I love cats, unicorns(go
figure), and fantasy in general.

I like to be in a company of smart, delicate, and with a good sense of
humor people. I am Bulgarian, currently getting my Master's in International
Business in USA. Favorite actor: Michael Dudikoff

i'm tall and skiny I'm studying in Pharm. D program in FL. i like music,
movie, dancing, sports, SCUBA diving, traveling and make a lot friends.

Nice friends, nice men, nice sex and feeling great. I don't mind the odd
bout of cybersex as I love to use my imagination when I masterbate.

Hey, guys! by the way, I have no problems with my sexual life, soit's
absolutly useless try to have icq sex or things like that. Thanks

I'm an open minded person and enjoy chatting w/ other people.I'm free and
willing to chat about anything.So feel free to Imed me if you wanna chat.

I love meeting new people and making new friends. I am a Mary Kay Beauty
Consultant. I am married to a wonderful man. We have no children, exept for
a minature schnauzer that thinks he is a child. Looking forward to meeting
you.

I am from Taiwan but I study in Camden, New Jersey now. I like to know people
from different places .

I'm married and I stay at home. And I don't do cyber sex so leave me the fuck
alone

Looking forward for a response :P

Note, if the attached file is a password protected ZIP the message text can end
with one of the following:

archive password: <number>
password: <number>
pass: <number>
password for archive: <number>

Attached file (extension EXE, SCR or ZIP):

Picture, caroline, Katrina, kleopatra, Caitie, Mary-Anne, Lisa, Bad girl,
Julie, Aline, Anna, Barbi, Katrina, Juli, Mary, Mandy, Sara, rebecca, Jammie,
kate, Audra, stacy, Rena, Kelley, Tammy, myfotos, Gallery, It_I, Photoalbum,
Photomontage

W32/Bagle-G copies itself to folders containing the text 'shar', for example
C:\Program files\Common files\Microsoft shared, as the following filenames:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Serials.txt.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Opera 8 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Matrix 3 Revolution English Subtitles.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
ACDSee 9.exe

W32/Bagle-G opens up a backdoor on port 2745 and listens for connections. If it receives the appropriate command it attempts to download and execute a file. The worm also makes a web connection to a remote URL, thus reporting the location and open port of infected computers.

W32/Bagle-G terminates processes with the following names:

ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE

If the date is after 25 March 2005, W32/Bagle-G terminates itself and deletes all the registry entries it created when it first ran.