Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

W32/Bagle-C

Feb 27, 2004 9:33AM PST

Discussion is locked

- Collapse -
W32.Beagle.C@mm
Feb 27, 2004 10:18AM PST

Discovered on: February 27, 2004
Last Updated on: February 27, 2004 06:02:29 PM

When W32.Beagle.C@mm is executed, it performs the following actions:


Checks the computer date, and if it is after March 14th, 2004, the worm will exit.


If the worm is not executed from %System%\readme.exe, it will launch notepad.exe, which is the Notepad text editor.


--------------------------------------------------------------------------------
Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
--------------------------------------------------------------------------------


Copies itself as %System%\readme.exe.


Creates the following files:

%System%\onde.exe (18,944 bytes)
%System%\doc.exe (1,536 bytes)
%System%\readme.exeopen (15,994 bytes)


Adds the value:

"gouday.exe"="%System%\readme.exe"

to the registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the W32.Beagle.C@mm runs when you start Windows.

More: http://www.symantec.com/avcenter/venc/data/w32.beagle.c@mm.html

- Collapse -
Re:W32/Bagle-C
Feb 27, 2004 3:05PM PST

I wonder why it opens Notepad?

Some vendors say it opens it when the worm first runs, others say it only opens if the worm DOESN'T run.

- Collapse -
Re:W32/Bagle-C
Feb 28, 2004 1:34AM PST

does this makes sense:

When executed, this worm drops the following files in the Windows system folder:

README.EXE - worm copy
ONDE.EXE - DLL mailing component
DOC.EXE - DLL loader component
README.EXEOPEN - contains the randomly-named zipped copy of README.EXE that is used as the worm email attachment
Note that if this worm is executed as a file with a name and location other than README.EXE in the Windows system folder, it opens a blank Notepad (NOTEPAD.EXE) window.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.C

- Collapse -
Re:Re:W32/Bagle-C
Feb 28, 2004 5:04PM PST

The virus writer used an exe in a zip disguised as an excel sheet, and then told the worm to open notepad.

New and improved versions D & E of the worm use a notepad icon, before it ah, opens notepad.