Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement



Process Name  : Readme.exe

Process Path : %SYSTEM%\Readme.exe [ C:\Windows\System32\Readme.exe ]

Process type    : Internet Worm

Malware Name : W32.Bagle.C@mm

Alias             : I-Worm/Bagle.C, W32/Bagle.C@MM , Bagle.C, W32/Bagle-C,  WORM_BAGLE.C 

Threat level : Low

Process Details :

                     Readme.exe is the main component dropped by Bagle.C. It is a mass mailing worm, uses  e-mail addresses collected from .wab .txt .htm .html .dbx .mdx .eml .nch .mmf .ods .cfg .asp .php .pl .adb  and .sht files to distribute infected messages. Bagle worm arrives as an e-mail attachment. The infected attachment name is randomly chosen by the worm. Bagle.C worm appeared on 27th February 2004.

The infected mail subject will be one of the following

New Price-list
Hardware devices price-list
Weekly activity report
Daily activity report
Registration confirmation
USA government abolishes the capital punishment
Freedom for everyone
Flayers among us
From Hair-cutter
Price list
Hello my friend
Greet the day
The account
Looking for the report
You really love me?
he he
You are dismissed
Accounts department
From me
Monthly incomings summary
The summary
Proclivity to servitude
The employee

The infected mail sample is given below.

                     When the worm file is executed, it executes notepad application ( notepad.exe ) and copies itself to Windows system folder as "readme.exe" in the background. It also drops onde.exe, doc.exe and readme.exeopen.

                     W32.Beagle.C@mm modifies registry run section to load automatically on the next startup. The registry modification is given below.

"gouday.exe"= %SYSTEM%\readme.exe

[ By default, %SYSTEM% will be C:\Windows\System in case of Windows 95/98/ME, C:\Winnt\System32 in case of Windows NT/2000 and C:\Windows\System32 in case of Windows XP ]

The worm also creates following additional key

HKEY_CURRENT_USER\SOFTWARE\Software\DateTime2 "frun"
HKEY_CURRENT_USER\SOFTWARE\Software\DateTime2 "port"

                    Bagle.C worm uses its own SMTP engine to send infected messages. The worm tries to terminate security programs in the infected system. Bagle.C worm will not send infected mails to the following e-mail addresses


                    Bagle.C contains backdoor abilities and it opens TCP port 2745. It allows hackers to upload files in the infected computer. Bagle.C tries to download a PHP script ( scr.php ) from the following sites

How can I protect my system?

                   Solo has incorporated readme.exe in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this Worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this Worm?

                   If you are already infected with readme.exe, you can remove it from your computer using Solo Antivirus software. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link