- The registry keys
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\gouday.exe with value
HKCU\Software\DateTime2\frun with value "1"
HKCU\Software\DateTime2\port with value "2745"
HKCU\Software\DateTime2\uid with random value
- Listening on port 2745.
- Presence of the following files:
C:\Windows\System\doc.exe, 1536 bytes
C:\Windows\System\readme.exe, 15872 bytes
C:\Windows\System\onde.exe, 18944 bytes
C:\Windows\System\readme.exeopen, 15994 bytes
Automatic disinfection: let Bitdefender delete infected files.
Delete the key "gouday.exe = C:\Windows\System\readme.exe" under "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run".
Delete the keys "frun=1", "port=2745", "uid=[random value]" under "HKEY_CURRENT_USER\Software\DateTime2".
After a restart delete the files "readme.exe", "readme.exeopen", "doc.exe", "onde.exe" from "C:\Windows\System".
Daniel Ionita Virus Researcher
The mass-mailer is 15944 bytes in length, comes as attachement in zip form
with "store" method.
It arrives in an email in the following format:
From: [forged email address]
Subject: [one of the following]
Hardware devices price-list
Weekly activity report
Daily activity report
USA government abolishes the capital punishment
Freedom for everyone
Flayers among us
Hello my friend
Greet the day
Looking for the report
You really love me? he he
You are dismissed
Monthly incomings summary
Proclivity to servitude
Attachment: [random bytes].exe within a zip file.
Upon execution, it drops four files into "C:\Windows\System"
directory, with the following purposes:
- readme.exe is the virus unzipped. A key will be inserted in the
registry so that the file will be executed at every operating system
- doc.exe, a file which has the purpose of executing onde.exe.
Injected in the explorer.exe address space.
- onde.exe is the main component of the virus. Handles all the
- readme.exeopen is the zipped version of the virus, the file in the
archive created already with a random name and ready to be mass-mailed
When first ran, it will start notepad.exe. Then, it checks the date
and if the date is after 14 March 2004 the worm will exit.
The worm will create the registry keys described in the "Symptoms"
sections, and starts a backdoor that will listen for commands on the
The worm will create a mutex named "imain_mutex" and create a series
of threads, performing various functions:
- every 100 milliseconds kill all proces with the name:
- every 2000 milliseconds check if connected to internet.
- every 3 hours and ten minutes, the worm will connect to the
following addresses under the name "i_am_ideal":
The worm will search the host computer for the filenames with the
following extensions, extracting email addresses from them:
The worm will not send itself to addresses containing the following
Update: it seems there is a new strain of Bagle in the wild. The virus is detected by Bitdefender as Win32.Bagle.D@mm and is similar to the Bagle.C@mm variant. There are only minor differences:
- the mutex is now called "iain_m2".
- the user used to connect to the sites mentioned is now "al".
- the key "DateTime2" is now called "DateTime3". The location is unchanged.
Update #2: we received yet another strain of Bagle. BitDefender now detects it as Win32.Bagle.E@mm. Seems like there are more differences as opposed to Bagle.C@mm:
- the messages that the virus sends have now attachements, one of the following:
Everything inside the attach
Look it through
- Name of the files dropped have changed:
doc.exe is now called ii455nj4.exe
readme.exe is now called i1ru74n4.exe
readme.exeopen is now called i1ru74n4.exeopen
ondo.exe is now called godo.exe.
Note that the size of the file "i1ru74n4.exe" now varies, the virus adds random bytes as overlay to the file.
- mutex name is the same as that of the C@mm variant: "imain_mutex"
- the user used to connect to the same pages is now named "oclivity".
- registry keys have changed:
HKCU\Software\DateTime4, with the only subkey "frun = 1".
HKCU\Software\Microsoft\Windows\CurrentVersion\Run, with the subkey "rate.exe = C:\Windows\System\i1ru74n4.exe"
- the date at which the virus will de-activate has now changed from 14 March 2004 to 25 March 2004.
- the attachement inside the ZIP archive changed packer, from UPX to PEX.