W32/Bagle.FN is a mass mailing worm. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

Sindony
Wynnefreede
Winifred
Stephen
William
Valentyne
Thomas
Syndony
Wynefreed
Sybyll
Anthonye
Alyce
Androwe
Suzanna
Androw
Andrew
Sybell
Robert
Susan
Nicholaus
Sidney
Samuell
Rycharde
Roger
Roberte
Richarde
Susanna
Richard
Rebecka
Ralph
Peter
Nycholas
Margret
Nicholas
Nathanyell
Nathaniel
Mychaell
Michael
Marye
Nathaniell
Martha
Marie
Margrett
Margerye
Margerie
Margarett
Margaret
Leonarde
Leonard
Katheryne
Katherine
Judithe
Judeth
Judith
Johen
Josias
Joane
Jeffrye
Jeames
James
Isabell
Isabel
Humphrie
Humphrey
Jeffrey
Hughe
Henrye
Fraunces
Henry
Harrye
Harry
Grace
George
Henrie
Geoffraie
Gabriell
Francis
Frances
Ester
Emanuell
Edmonde
Emanual
Ellyn
Elizabeth
Ellen
Emanuel
Elizabethe
Edwarde
Edward
Edmund
Dorithie
Edmond
Dorothy
Daniel
Dorothee
Danyell
Cybil
Constance
Christian
Bennett
Christean
Bennet
Avice
Anthony
Alice
Anthonie
Annes
Wynefrede

The body of the infected mail will be any one of the following;

I love you
To the beloved

Continued with any one of the following;

Zip password:
The password is
Password --
Password -
Password is
archive password:
Password:
Use password

Followed by a image file. The image file displays random five digit number, which is the password to open the infected zip file.

The name of the infected attachment will be any one of the following;

Harry.zip
Harrye.zip
Elizabeth.zip
Henrie.zip
Henry.zip
Henrye.zip
Hughe.zip
Edward.zip
Edwarde.zip
Elizabethe.zip
Ellen.zip
Suzanna.zip
Sybell.zip
Sybyll.zip
Syndony.zip
Thomas.zip
Valentyne.zip
William.zip
Winifred.zip
Wynefrede.zip
Ellyn.zip
Emanual.zip
Emanuel.zip
Emanuell.zip
Ester.zip
Frances.zip
Francis.zip
Francis.zip
Fraunces.zip
Gabriell.zip
Geoffraie.zip
George.zip
Grace.zip
Humphrey.zip
Humphrie.zip
Isabel.zip
Isabell.zip
James.zip
James.zip
Jeames.zip
Jeffrey.zip
Jeffrye.zip
Joane.zip
Johen.zip
Josias.zip
Judeth.zip
Judith.zip
Judithe.zip
Katherine.zip
Katheryne.zip
Leonard.zip
Leonarde.zip
Margaret.zip
Margarett.zip
Margerie.zip
Margerye.zip
Margret.zip
Margrett.zip
Marie.zip
Martha.zip
Marye.zip
Michael.zip
Mychaell.zip
Nathaniel.zip
Nathaniell.zip
Nathanyell.zip
Nicholas.zip
Nicholaus.zip
Nycholas.zip
Peter.zip
Ralph.zip
Rebecka.zip
Richard.zip
Richarde.zip
Alice.zip
Alyce.zip
Andrew.zip
Androw.zip
Androwe.zip
Annes.zip
Anthonie.zip
Anthony.zip
Anthonye.zip
Avice.zip
Bennet.zip
Bennett.zip
Christean.zip
Christian.zip
Constance.zip
Cybil.zip
Daniel.zip
Danyell.zip
Dorithie.zip
Dorothee.zip
Dorothy.zip
Edmond.zip
Edmonde.zip
Edmund.zip
Robert.zip
Roberte.zip
Roger.zip
Rycharde.zip
Samuell.zip
Sidney.zip
Sindony.zip
Stephen.zip
Susan.zip
Susanna.zip
Wynefreed.zip
Wynnefreede.zip

Upon execution, the worm copies itself as hidn.exe in Windows System folder.

The worm modifies registry at the following location to load itself during each startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

It creates a folder hidn under Application Data folder and drops the following files.

hidn.exe and m_hook.sys

To propagate itself, the worm scans the following extensions and collects the available email addresses from the infected system;

xml, dbx, mbx, mdx, wab, txt, msg, htm, shtm, stm, nch, mmf, ods, tbb, sht, xls, cfg, asp, php, pl, wsh, adb, oft, uin, cgi, mht, dhtm and jsp.

It mails itself to these addresses using its own SMTP engine.

The worm tries to terminate some of the security related processes.

It downloads other infected files from it's pre-configured list of websites.

This worm first appeared on June 20, 2006.

 Other names of W32/Bagle.FN Worm: