W32/Bagle.E

 Virus Information - W32/Bagle.E:

W32/Bagle.E is a mass mailing worm. This worm is a variant of W32/Bagle.C. The worm infects Windows systems and spreads through email. This worm arrives as a randomly-named zipped email attachment.

The worm contains its own SMTP engine to construct outgoing messages using a spoofed return address to several email addresses gathered from the infected system.

The subject of the infected mail will be any one of the following;

You really love me? he he
You are dismissed
Well...
Weekly activity report
USA government abolishes the capital punishment
The summary
The employee
The account
Registration confirmation
Proclivity to servitude
Pricelist
Price-list
Price list
Price
New Price-list
Monthly incomings summary
Melissa
Maria
Looking for the report
Jessica
Jenny
Hi!
Hello my friend
Hardware devices price-list
Greet the day
From me
From Hair-cutter
Freedom for everyone
Flayers among us
Ello!
Daily activity report
Camila
Ahtung!
Accounts department

The body of the infected mail will be blank.

It carries the following infected attachment;

<random characters>.zip

The worm uses a text file icon, in order to make it appear that the file is text file.

Upon execution, the worm opens a Notepad application. It then drops the following files in the Windows system folder:

godo.exe
ii455nj4.exe
i1ru74n4.exeopen
i1ru74n4.exe

The worm injects the file godo.exe into explorer.exe to stay resident in memory

The worm also alters the windows registry at the following location to load itself during next startup;

HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm creates the mutex, imain_mutex to ensure that only one instance of the worm is running in memory.