Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software

Bagle.C worm
Virus Description

By Mary Landesman, About.com

See More About:
Mar 2 2004
A new variant of the Bagle worm was discovered on February 27, 2004. Bagle.C is a mass-mailing email worm with remote access capabilities. Bagle.C uses its own SMTP engine to send itself, thus copies of the sent emails will not appear in the infected user's Sent Items folder.

Bagle.C harvests email addresses from a range of file types searched on the infected system. The worm harvests email addresses found in .ADB, .ASP, .CFG, .DBX, .EML, .HTM, .HTML, .MDX, .MMF, .NCH, .ODS, .PHP, .PL, .SHT, .TXT, and .WAB files.

Bagle.C avoids sending itself to certain domains or addresses: @avp., @hotmail.com, @microsoft, @msn.com, local, noreply, postmaster@, and root@.

Bagle.C opens TCP port 2745 on the infected system and sends notification to the worm's author.

Bagle.C attempts to shutdown processes related to antivirus and security software found running on infected systems.

The Subject may be any of the following:

    Price
    New Price-list
    Hardware devices price-list
    Weekly activity report
    Daily activity report
    Maria
    Jenny
    Jessica
    Registration confirmation
    USA government abolishes the capital punishment
    Freedom for everyone
    Flayers among us
    From Hair-cutter
    Melissa
    Camila
    Price-list
    Pricelist
    Price list
    Hello my friend
    Hi!
    Well...
    Greet the day
    The account
    Looking for the report
    You really love me? he he
    You are dismissed
    Accounts department
    From me
    Monthly incomings summary
    The summary
    Proclivity to servitude
    Ahtung!
    The employee

The message body is left blank.

The attachment may be a randomly named binary executable contained within a ZIP file which is 15994 bytes in size. The Bagle.C attachment may use a Microsoft Excel icon in an effort to disguise itself.

When opened, the virus copies itself to the Windows\System directory as README.EXE and adds itself to the system registry to load when Windows is started:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "gouday.exe"= C:\Windows\System\README.EXE

Bagle.C also drops the following files to the infected system: onde.exe, doc.exe, and readme.exeopen

Depending on the operating system, by default the Windows\System directory will be either C:\Windows\System or C:\WinNT\System32.

Bagle.C also adds the following registry keys:

HKEY_CURRENT_USER\Software\DateTime2 "frun"
HKEY_CURRENT_USER\Software\DateTime2 "uid"
HKEY_CURRENT_USER\Software\DateTime2 "port"

The Bagle.C follows on the heels of the Bagle.B worm which was programmed to stop spreading on February 25, 2004. The Bagle.C worm is programmed to stop spreading on March 14, 2004.

Also see:

About.com Special Features
Family Tech Center

Stay connected and entertained with reviews on tips on the latest HDTVs, cellphones and more. More >

Connect Your Home Computers

Easy ways to connect two computers for networking purposes. More >