Date Discovered: 1/28/2004
Date Added: 2/28/2004
SubType: Internet Worm
This new variant has the same functionalities as the .c variant. It uses different file names to write to the local machine. The file size is different.
This is a mass-mailing worm with the following characteristics:
contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
contains a remote access component (notification is sent to hacker)
Messages are constructed as follows:
From : (address is spoofed)
Body : (Message body is empty)
Daily activity report
Flayers among us
Freedom for everyone
Greet the day
Hardware devices price-list
Hello my friend
Looking for the report
Monthly incomings summary
Proclivity to servitude
USA government abolishes the capital punishment
Weekly activity report
You are dismissed
You really love me? he he
Attachment : randomly named binary within a .ZIP file (~16KB).
Virus type: Worm
Aliases: Worm/Bagle.E.GODO, Win32:Beagle-C [Unp], W32/Bagle.gen@MM, I-Worm.Bagle.e, W32/Bagle.E, W32/Bagle.E.worm
This worm arrives as a randomly-named zipped attachment to an email message. It uses a text file icon in order to trick users into running it. It drops several files and inject one of its components (GODO.EXE) to EXPLORER.EXE to stay resident in memory.
It uses SMTP (Simple Mail Transfer Protocol) to send email messages, with a spoofed return address, having varying message bodies, and which may have varying email subjects. The email attachment also has a random file name, and is a compressed copy of this worm.
This malware opens port 2745 and listens for commands from a remote user. It terminates some active processes if they are detected.
It runs on Windows 95, 98, ME, NT, 2000 and XP.