Discovered on: February 27, 2004
Last Updated on: February 27, 2004 06:02:29 PM
When W32.Beagle.C@mm is executed, it performs the following actions:
Checks the computer date, and if it is after March 14th, 2004, the worm will exit.
If the worm is not executed from %System%\readme.exe, it will launch notepad.exe, which is the Notepad text editor.
--------------------------------------------------------------------------------
Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
--------------------------------------------------------------------------------
Copies itself as %System%\readme.exe.
Creates the following files:
%System%\onde.exe (18,944 bytes)
%System%\doc.exe (1,536 bytes)
%System%\readme.exeopen (15,994 bytes)
Adds the value:
"gouday.exe"="%System%\readme.exe"
to the registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the W32.Beagle.C@mm runs when you start Windows.
More: http://www.symantec.com/avcenter/venc/data/w32.beagle.c@mm.html
Type
Win32 worm
Description
W32/Bagle-C is a mass mailing worm. Further details will appear here shortly.
http://www.sophos.com/virusinfo/analyses/w32baglec.html

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic