Date Discovered: 1/28/2004
Date Added: 2/28/2004
Origin: Unknown
Length: varies
Type: Virus
SubType: Internet Worm
Virus Characteristics
This new variant has the same functionalities as the .c variant. It uses different file names to write to the local machine. The file size is different.
This is a mass-mailing worm with the following characteristics:
contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
contains a remote access component (notification is sent to hacker)
Messages are constructed as follows:
From : (address is spoofed)
Body : (Message body is empty)
Subject :
Accounts department
Ahtung!
Camila
Daily activity report
Flayers among us
Freedom for everyone
From Hair-cutter
From me
Greet the day
Hardware devices price-list
Hello my friend
Hi!
Jenny
Jessica
Looking for the report
Maria
Melissa
Monthly incomings summary
New Price-list
Price
Price list
Pricelist
Price-list
Proclivity to servitude
Registration confirmation
The account
The employee
The summary
USA government abolishes the capital punishment
Weekly activity report
Well...
You are dismissed
You really love me? he he
Attachment : randomly named binary within a .ZIP file (~16KB).
More: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101061
Virus type: Worm
Destructive: No
Aliases: Worm/Bagle.E.GODO, Win32:Beagle-C [Unp], W32/Bagle.gen@MM, I-Worm.Bagle.e, W32/Bagle.E, W32/Bagle.E.worm
Description:
This worm arrives as a randomly-named zipped attachment to an email message. It uses a text file icon in order to trick users into running it. It drops several files and inject one of its components (GODO.EXE) to EXPLORER.EXE to stay resident in memory.
It uses SMTP (Simple Mail Transfer Protocol) to send email messages, with a spoofed return address, having varying message bodies, and which may have varying email subjects. The email attachment also has a random file name, and is a compressed copy of this worm.
This malware opens port 2745 and listens for commands from a remote user. It terminates some active processes if they are detected.
It runs on Windows 95, 98, ME, NT, 2000 and XP.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.E

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic