W32/Bagle-E

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: Many Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Bagle-E is an email worm which sends itself via its own SMTP engine to
addresses harvested from your hard disk.

When run the worm opens NOTEPAD.EXE, copies itself to the Windows system
folder as I1RU74N4.EXE and creates the following files in the same folder:

II455NJ4.EXE - a DLL plugin used to load GODO.EXE
GODO.EXE - the main DLL component of the worm
I1RU74N4.EXEOPEN - a copy of the worm in ZIP format

W32/Bagle-E adds the value:

rate.exe = <SYSTEM>\i1ru74n4.exe

to the registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This means that W32/Bagle-E runs every time you logon to your computer.

W32/Bagle-E also creates the following registry entry:

HKCU\Software\DateTime4\frun=1

Emails have the following characteristics:

Subject lines:

Price
New Price-list
Hardware devices price-list
Weekly activity report
Daily activity report
Maria
Jenny
Jessica
Registration confirmation
USA government abolishes the capital punishment
Freedom for everyone
Flayers among us
From Hair-cutter
Melissa
Camila
Price-list
Pricelist
Price list
Hello my friend
Hi!
Well...
Greet the day
The account
Looking for the report
You really love me? he he
You are dismissed
Accounts department
From me
Monthly incomings summary
The summary
Proclivity to servitude
Ello!
Ahtung!
The employee

There is no message text.

Attached file: a randomly named ZIP archive

W32/Bagle-E opens up a backdoor on port 2745 and listens for connections.
If it receives the appropriate command it attempts to download and execute
a file. W32/Bagle-E also makes a web connection to a remote URL, thus reporting the location and open port of infected computers.

The worm terminates processes with the following names:

ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE

If the date is after 25 March 2004, W32/Bagle-E terminates itself and deletes
all the registry entries it created when it first ran.