W32/Bagle.C@mm

• Subject: (variable)
• Body: (none)
• Attachment: [random letters].zip

When run this worm will copy itself to the Windows System directory using the file name [SYSTEM] eadme.exe. It will also extract and install two other files:

[SYSTEM]onde.exe
[SYSTEM]doc.exe

These are additional components of the worm.

ONDE.EXE (18944 bytes) contains the main worm functionality, as well as a backdoor.
DOC.EXE (1536 bytes) is a program that loads ONDE.EXE as a DLL.
ONDE.EXE installs a Mutex called imain_mutex to avoid being loaded twice.

Registry keys created by the worm:

HKCUSOFTWAREDateTime2 port = [listen port]
HKCUSOFTWAREDateTime2 frun = 1
HKCUSOFTWAREDateTime2 uid = [random no.] HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunGouday.exe = [SYSTEM] eadme.exe

The worm contains its own SMTP engine and will send itself to addresses found on the local computer. These addresses are picked from files of type .wab, .txt, .htm, .htm, .dbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .pl, .adb and.sht.

Mails subjects are composed from the following:

Price
New Price-list
Hardware devices price-list
Weekly activity report
Daily activity report
Maria
Jenny
Jessica
Registration confirmation
USA government abolishes the capital punishment
Freedom for everyone
Flayers among us
From Hair-cutter
Melissa
Camila
Price-list
Pricelist
Price list
Hello my friend
Hi!
Well...
Greet the day
The account
Looking for the report
You really love me? he he
You are dismissed
Accounts department
From me
Monthly incomings summary
The summary
Proclivity to servitude
Ahtung!
The employee

Attachment is a zip file with a random letter file name.

When the worm has installed itself, it will open a Notepad window and exit.