Email-Worm:W32/Bagle.C distributes copies of itself as file attachments to e-mail messages that use differing subject lines. Once executed, the worm functions as a backdoor and disables certain security software.
Bagle.C was first found in the wild in the early morning of February 28th, 2004. This variant was programmed to stop spreading after March 14th, 2004.
Email-Worm:W32/Bagle.C arrives as a zipped EXE file attachment to e-mail messages that use differing subject lines. The attachment uses the icon of a Microsoft Excel spreadsheet file as a decoy:
On initial execution, the worm starts the Windows Notepad (notepad.exe) to conceal its activity. It then drops several files to the Windows System Directory:
'Readme.exe' is added to the registry as
to ensure that the worm will be activated when Windows starts. To indicate whether the worm was run for the first time it creates another value in the registry as
Bagle.C comes with a backdoor that listens on a TCP port 2745, which is hardcoded in the worm's body. The backdoor provides full remote access to the infected computer. It can be used to download and execute arbitrary programs from the Internet. When the worm is started it connects to a list of predefined web servers and tries to access a PHP file with certain parameters. One of the parameters is the TCP port where the backdoor is listening which suggests that this functionality is used to collect the addresses of infected computers. The payload of Bagle.C contains a thread that terminates processes with the following names:
Bagle.C recursively searches all drives on the infected computer to locate file that could contain email addresses. It parses these files and collects all email addresses it can find. Files with the following extensions are checked:
The mailer routine will ignore all the addresses that contain the any of these strings:
Using its own SMTP engine Bagle sends messages with infected attachments to the collected addresses. The SMTP engine uses direct Mail eXchange (MX) lookup on the target domain so it does not depend on email settings of the infected computer. The body of the messages is empty. The sender address in the email is spoofed. The infected emails can have the following subjects:
The attachment is a ZIP file with random name which is up to eight characters long and made up of the letters 'a' 'b' and 'c'.