W32/Bagle.E@mm

• Subject: (variable)
• Body: (variable)
• Attachment: (variable)

When run this worm will copy itself to the Windows System directory using the file name

[SYSTEM]i1ru74n4.exe.

It will also extract and install two other files:
[SYSTEM]godo.exe
[SYSTEM]ii455nj4.exe

These are additional components of the worm. GODO.EXE (18944 bytes) contains the main worm functionality, as well as a backdoor.

II455NJ4.EXE (1536 bytes) is a program that loads GODO.EXE as a DLL.

GODO.EXE installs a Mutex called imain_mutex to avoid being loaded twice.

Registry keys created by the worm:

HKCUSOFTWAREDateTime4 port = [listen port]
HKCUSOFTWAREDateTime4 frun = 1

HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunrate.exe = [SYSTEM]i1ru74n4.exe

The worm contains its own SMTP engine and will send itself to addresses found on the local computer. These addresses are picked from files of type .wab,.txt,.htm,.html,.dbx,.mdx,.eml,.nch,.mmf,.ods,.cfg,.asp,.php,.pl,.adb and.sht.

Note: Mails may have fake FROM: addresses. "You have sent a virus" warnings from mail scanners are usually not correct.

Mails subjects are composed from the following:

Price
New Price-list
Hardware devices price-list
Weekly activity report
Daily activity report
Maria
Jenny
Jessica
Registration confirmation
USA government abolishes the capital punishment
Freedom for everyone
Flayers among us
From Hair-cutter
Melissa
Camila
Price-list
Pricelist
Price list
Hello my friend
Hi!
Well...
Greet the day
The account
Looking for the report
You really love me? he he
You are dismissed
Accounts department
From me
Monthly incomings summary
The summary
Proclivity to servitude
Ello!
Ahtung!
The employee

Possible mail bodies:

Subj
Request
Empty
Response
Everything inside the attach
Look it through
Cya

Attachment

Attachment is a zip file with a random letter file name.

When the worm has installed itself, it will open a Notepad window and exit.