W32/Bagle.EN is a worm. The worm will infect Windows systems and spreads through email.

The subject of the infected mail will be be any one of the following;

Your receipt [random digits]
Billing department,
order [random digits]
Order Reminder: ID [random digits]

The body of the infected mail will be any one of the following;

Your email [email address] has exceeded its bandwidth quota in the period beginning on 2006-01-01.
Your quota is set to 10485760 bytes (10.0 MB), and your email has consumed 559189702 bytes (533.285 MB) beyond that quota.
Our over-bandwidth charges are
Additional Bandwidth/Month Monthly Cost
100 Mb $200.00
200 MB $360.00
300 MB $480.00
400 MB $624.00
500 Mb $740.00 <- your over-usage
600 Mb $850.00

Our automatically generated bill is attached with this email.

Sincerely,
Sales Manager.

Dear Sir or Madam,

This notification is just a friendly reminder (not a bill or a second charge) that on 15-JAN-06, you placed an order from Symantec Store.
This order was paid using your Visa, whose last 4 digits are ************2346, and will be appearing on your billing statement shortly.
The charge will appear as DR *Symantec. This is just a reminder to help you recognize the charge.
You will not be charged again.

You antivirus definition file is attached to this email, please install it to be perfectly protected from the latest viruses and other internet threats.

Details about your reciept attached with this email. You have to use Adobe Acrobat Reader to open it.
Transaction Number: [random digits]
This is your receipt for your $1490 purchase of a 1.0 months
subscription which will appear on your statement as [random digit].
Your membership will automatically renew per the terms and conditions.
Should you ever have any problems whatsoever, please don't hesitate to contact our live technical support staff - available 24 hours a day 7 days a week.
We can be reached by phone toll free in the US at 800-{BLOCKED}-8593. Rather use email?

Drop us a line at bill@gmail.com and we'll always get back to you within an hour.

Enjoy the service!
Support

The name of the infected attachment will be any one of the following;

Generated_bill.exe
Order_details.exe
Service_receipt.exe

Upon execution, the worm copies itself as regmaping.exe in Windows System folder.

It also drops regmaping.exeopen and regmaping.exeopenopen in Windows System folder.

The worm modifies registry at the following location to load itself during each startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the following extensions and collects the available email addresses from the infected system;

sht, pl, mmf, cfg, dbx, cgi, asp, adb, dhtm, eml, htm, jsp, mbx, mht, mdx, msg, nch, ods, oft, php, shtm, stm, tbb, txt, uin, wab, wsh, xls and xml.

This worm first appeared on February 09, 2006.

 Other names of W32/Bagle.EN Worm:

This Worm is also known as WORM_BAGLE.EN.