Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

W32/Bagle-I

Mar 1, 2004 11:37PM PST

Aliases
I-Worm.Bagle.h

Type
Win32 worm

Description
W32/Bagle-I is an email worm which sends itself via its own SMTP engine to addresses harvested from your hard disk. The worm searches for files with the extensions WAB, TXT, HTM, XML, DBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, ADB, TBB and ***.
When run the worm opens copies itself to the Windows system folder as i11r54n4.exe and creates the following files in the same folder:


go154o.exe - the main DLL component of the worm

i1i5n1j4.exe - a DLL plugin used to load ONDE.EXE

i11r54n4.EXEOPEN - a copy of the worm in a password protected ZIP format


W32/Bagle-I adds the value rate.exe = <SYSTEM>\i11r54n4.exe to the registry key
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This means that W32/Bagle-I runs every time you logon to your computer.

Emails have the following characteristics:


More: http://www.sophos.com/virusinfo/analyses/w32baglei.html

Discussion is locked