W32/Bagle.EF is a mass mailing worm. The worm will infect Windows systems and spreads through email and network.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be be any one of the following;

Gwd: Hi
Gwd: Document
Gwd: Changes..
Gwd: Hello :-)
Gwd: Thanks :)
Gwd: Update
Gwd: Yahoo!!!
Gwd: Msg reply
Gwd: Thank you!
Gwd: Fax Message
Gwd: Site changes
Gwd: Text message
Gwd: Incoming Msg
Gwd: Notification
Gwd: Forum notify
Gwd: Message Notify
Gwd: Incoming Message
Gwd: crypted document
Gwd: Protected message

The body of the infected mail will be any one of the following;

Ok. See attach.
Ok. Read the attach.
Ok. Here is the file
Ok. Check attached file.
Ok. Message is in attach
Ok. More info is in attach
Ok. Attach tells everything.
Ok. Please, read the document.
Ok. Pay attention at the attach.
Ok. Attached file tells everything.
Ok. Check attached file for details.
Ok. Please, have a look at the attached file.
Ok. See the attached file for details.
Ok. Your document is attached.
Ok. Your file is attached.

The name of the infected attachment will be any one of the following;

Info
Common
Message
Details
MoreInfo
fu(BLOCKED)_her
www.cu(BLOCKED)nherface
XXX_livebabes
XXX_P(BLOCKED)noUpdates
xxxP(BLOCKED)no

The infected attachment will have any one of the following extensions;

.scr
.exe
.com

Upon execution, the worm copies itself as windspl.exe and regisp32.exe in the Windows System folder.

The worm modifies registry at the following location to load itself during each startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the following extensions and collects the available email addresses from the infected system;

.dhtm and .shtm.

This worm first appeared on February 3, 2006.

 Other names of W32/Bagle.EF Worm:

This Worm is also known as WORM_BAGLE.EF .