Bagle.C
Threat LevelDamageDistribution

Effects 

Bagle.C carries out the following actions:

• It creates a backdoor that opens the TCP port 2745.
• It attempts to connect to several web pages that host a PHP script:
  http://permail.uni-muenster.de/scr.php
  http://www.songtext.net/de/scr.php
  http://www.sportscheck.de/scr.php
  
  By doing this, Bagle.C notifies its author that the affected computer can be accessed through the opened port.
• It ends the processes belonging to several antivirus update applications:
  ATUPDATER.EXE
  ATUPDATER.EXE
  AUPDATE.EXE
  AUTODOWN.EXE
  AUTOTRACE.EXE
  AUTOUPDATE.EXE
  AVLTMAIN.EXE
  AVPUPD.EXE
  AVWUPD32.EXE
  AVXQUAR.EXE
  CFIAUDIT.EXE
  DRWEBUPW.EXE
  ICSSUPPNT.EXE
  ICSUPP95.EXE
  LUALL.EXE
  MCUPDATE.EXE
  NUPGRADE.EXE
  NUPGRADE.EXE
  OUTPOST.EXE
  UPDATE.EXE
• This worm only runs if the system date is March 14, 2004 or previous. After this date, Bagle.C stops functioning.
• It opens Notepad the first time it is run.

Infection strategy 

Bagle.C creates the following files in the Windows system directory:

• README.EXE. This file is a copy of the worm.
• DOC.EXE and ONDE.EXE. These files are support libraries.
• README.EXEOPEN. This file contains the worm, compressed in a ZIP format, and will be sent via e-mail.

Bagle.C creates the following entries in the Windows Registry:

• HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  gouday.exe = %sysdir%\ readme.exe
  where %sysdir% is the Windows system directory.
  By creating this entry, Bagle.C ensures that it is run whenever Windows is started.
• HKEY_CURRENT_USER\ SOFTWARE\ DateTime2
  uid = %random%
  where %random% is a random value.
• HKEY_CURRENT_USER\ SOFTWARE\ DateTime2
  port = 2745
• HKEY_CURRENT_USER\ Software\ DateTime2
  frn = 1
  This entry indicates that Bagle.C has already been run for the first time.

Means of transmission 

Bagle.C spreads via e-mail. It follows the routine below:

• It reaches the computer in an e-mail message that has the following characteristics:
  
  Sender:
  Bagle.C spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.
  
  Subject: one of the following:
  Accounts department
  Ahtung!
  Camila
  Daily activity report
  Flayers among us
  Freedom for everyone
  From Hair-cutter
  From me
  Greet the day
  Hardware devices price-list
  Hello my friend
  Hi!
  Jenny
  Jessica
  Looking for the report
  Maria
  Melissa
  Monthly incomings summary
  New Price-list
  Price
  Price list
  Pricelist
  Price-list
  Proclivity to servitude
  Registration confirmation
  The account
  The employee
  The summary
  USA government abolishes the capital punishment
  Weekly activity report
  Well...
  You are dismissed
  You really love me? he he
  
  Message: the message is empty.
  
  Attachments:
  The file name is variable and consists of several random characters, but always has a ZIP extension. It has the same icon as an Excel spreadsheet.
• When the attached file is run, the computer is affected.
• Bagle.C searches for e-mail addresses in files that have the following extensions: ADB, ASP, CFG, DBX, EML, HTM, HTML, MDX, MMF, NCH, ODS, PHP, PL, SHT, TXT and WAB.
• It sends itself out to all the addresses it has gathered using its own SMTP engine, excepting those which belong to the mail domains @hotmail.com, @msn.com, @microsoft and @avp, or contain one of the following text strings: local, noreply, postmaster@, root@.
• Bagle.C makes MX queries in order to obtain the IP addresses of the domains where it attempts to send itself via e-mail.

Further Details  

Bagle.C is written in the programming language Visual C. This worm is 15,872 bytes in size.

Bagle.C attempts to locate the window called Shell_TrayWnd and the mutex imain_mutex. It also looks for processes whose executable file is DOC.EXE.

When it is run, it checks its command line parameters, which allow it to update or delete itself.