Virus Information
Discovery Date: 03/01/2004
Origin: Unknown
Length: Varies
Type: Virus
SubType: E-mail worm
This variant of W32/Bagle functions almost identically to the .F variant.
There differences are listed as follows:
The executable has been repackaged
The virus copies itself into the Windows System directory as i11r54n4.exe
The following Registry key is added to hook system startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "rate.exe" = C:\WINNT\SYSTEM32\i11r54n4.exe
It also creates other files in the Windows Systemdirectory to perform its functions:
go154o.exe (19,968 bytes) - DLL to perform mailing
i1i5n1j4.exe (1,536 bytes) - DLL loader
i11r54n4.exeopen (20,774) - file to be sent via email
Like its predecessors, this worm checks the system date. If it is the 25th March 2005 or later, the worm simply exits and does not propagate.
Messages are constructed as follows:
From : (address is spoofed)
Subject :
^_^ meay-meay!
^_^ mew-mew (-:
Hey, dude, it's me ^_^
Argh, i don't like the plaintext
I don't bite, weah!
Looking forward for a response
If the attachment is a password protected zip, one of the following lines will be included in the body:
Read more:
http://vil.nai.com/vil/content/v_101068.htm
Aliases
I-Worm.Bagle.gen
Type
Win32 worm
Description
A detailed analysis of W32/Bagle-H will be published here shortly. Please check again later.
http://www.sophos.com/virusinfo/analyses/w32bagleh.html

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic