The following has been derived from information provided by Network Associates, Symantec, and Trend Micro.

Virus Characteristics

W32/Bagle.C@mm is a mass-mailing worm that contains its own SMTP engine for propagation. Known message characteristics are as follows:

From: field is spoofed.
Subject varies
Attachment name varies, may be a .zip file.

This threat harvests email addresses from the infected machine. It also contains a remote access component so that notification can be sent to the author. The worm copies itself to the Windows system (%SysDir%)directory as README.exe.

C:\%sysDir%\README.exe

In order to ensure execution upon the starting of Windows the following registry entry is made:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"gouday.exe" = C:\WINNT\SYSTEM32\README.EXE

It also appears to add the following Registry keys:

HKEY_CURRENT_USER\Software\DateTime2
"frun"
HKEY_CURRENT_USER\Software\DateTime2
"uid"
HKEY_CURRENT_USER\Software\DateTime2
"port"


Payload

Mass Mailer
Registry Modification
Remote Access Component


Preventative Measures

Block incoming messages that contain .zip files at the gateway when possible.
Block incoming messages that contain executable code.


Fixes Available

Network Associates:
Minimum DAT: 4329 (Extra.DAT available)
Release Date: February 27, 2004
Minimum Engine: 4.2.40

Symantec:
Virus Definitions (Intelligent Updater): March 01, 2004
Virus Definitions (LiveUpdate): March 03, 2004
Note: Virus definitions version 60217w (extended version 2/17/2004 rev 23) detect this sample as W32.Beagle.A@mm.

Trend:
Pattern File: 784
Minimum Scan Engine: 5.600