Virus Information
Discovery Date: 03/01/2004
Origin: Unknown
Length: Varies
Type: Virus
SubType: E-mail worm

This variant of W32/Bagle functions almost identically to the .F variant.

There differences are listed as follows:

The executable has been repackaged
The virus copies itself into the Windows System directory as i11r54n4.exe
The following Registry key is added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "rate.exe" = C:\WINNT\SYSTEM32\i11r54n4.exe
It also creates other files in the Windows Systemdirectory to perform its functions:

go154o.exe (19,968 bytes) - DLL to perform mailing
i1i5n1j4.exe (1,536 bytes) - DLL loader
i11r54n4.exeopen (20,774) - file to be sent via email
Like its predecessors, this worm checks the system date. If it is the 25th March 2005 or later, the worm simply exits and does not propagate.

Messages are constructed as follows:

From : (address is spoofed)
Subject :

^_^ meay-meay!
^_^ mew-mew (-:
Hey, dude, it's me ^_^ Silly
Argh, i don't like the plaintext Happy
I don't bite, weah!
Looking forward for a response Silly

If the attachment is a password protected zip, one of the following lines will be included in the body:
Read more:
http://vil.nai.com/vil/content/v_101068.htm