W32/Bagle.G

 Virus Information - W32/Bagle.G:

W32/Bagle.G is a mass mailing memory resident worm. This worm is a variant of W32/Bagle.F. The worm infects Windows systems and spreads through email.

The worm contains its own SMTP engine to construct outgoing messages using a spoofed return address to several email addresses gathered from the infected system.

The subject and body of the infected mail will be random and it appends additional text strings, which contains the information for its password protected .zip files in the body of the email message it sends out. It carries an infected attachment with random filename with an extension .zip

The attached file has a similar icon as a Windows folder

This worm spreads by dropping infected files in folders that have the text string 'shar' in their file names. The worm also terminates the process outpos1t.exe.

Upon execution, the worm drops the following files in the Windows system folder:

go54o.exe
ii5nj4.exe
i1ru54n4.exe

The worm also alters the windows registry at the following location to load itself during next startup;

HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm creates the mutex, imain_mutex to ensure that only one instance of the worm is running in memory.