Virus Profile: W32/Bagle@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 1/18/2004
Date Added: 1/18/2004
Origin: Unknown
Length: 15,872 bytes
Type: Virus
Subtype: E-mail
DAT Required: 4316
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • System listening on TCP port 6777
  • Presence of the file bbeagle.exe in the WINDOWS SYSTEM directory

    • Methods of Infection

    Manually executing an infected email attachment infects the local system, which is then used to email the virus to others.

    Aliases

    I-Worm.Bagle (AVP), W32.Beagle.A@mm (Symantec), W32/Bagle-A (Sophos), W32/Bagle.A@mm (F-Secure), WORM_BAGLE.A (Trend)
       

    Virus Characteristics

    -- Update January 23, 2004 --
    The risk assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence.

    -- Update January 22, 2004 --
    AVERT has received a slightly modified sample of this worm, which is detected with the same DATs and Engine as the initial variant. No field submissions of this modified sample have been received at the time of writing.

    This is a mass-mailing worm with a remote access component.  The worm arrives in an email message with the following characteristics:

    From: (address may be forged)
     Subject: Hi
    Body:
     Test =)
    (random characters)
     --
    Test, yep.

    Attachment: (random filename) 15,872 bytes

    example:

    frjujs.exe

    When the attachment is run, the virus checks the system date.  If the date is January 28, 2004 or later, the virus simply exits and does not propagate.  Otherwise, the virus executes the standard Windows calculator program CALC.EXE. Meanwhile, the virus copies itself to the WINDOWS SYSTEM directory (%SysDir%) as bbeagle.exe , and creates a registry key to load itself at system startup:

    •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "d3dupdate.exe" = C:\WINNT\System32\bbeagle.exe

    Two additional keys are created:

    •  HKEY_CURRENT_USER\Software\Windows98 "frun"
    •  HKEY_CURRENT_USER\Software\Windows98 "uid"

    Mass-mailing Component
         The worm harvests addresses from the following files and mails itself to those recipients, using its own SMTP engine.

    • .wab
    • .txt
    • .htm
    • .html

    The virus spoofs the sender address by using a harvested address in the FROM field. The first message sent by the virus uses the same harvested address in the TO and FROM fields.  The second message is sent to a different address, while the FROM field remains the same.  The third message is sent to a third address, and the FROM field contains the second address and so on.

    The virus does not mass-mail itself to addresses that contain one of the following strings:

    • @hotmail.com
    • @msn.com
    • @microsoft
    • @avp.

    Remote Access Component
         The virus listens on TCP port 6777 for remote connections.  It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites.  At the time of this writing this script does not exist on any of these sites. 

    • www.elrasshop.de
    • www.it-msc.de
    • www.getyourfree.net
    • www.dmdesign.de
    • 64.176.228.13
    • www.leonzernitsky.com
    • 216.98.136.248
    • 216.98.134.247
    • www.cdromca.com
    • www.kunst-in-templin.de
    • vipweb.ru
    • antol-co.ru
    • www.bags-dostavka.mags.ru
    • www.5x12.ru
    • bose-audio.net
    • www.sttngdata.de
    • wh9.tu-dresden.de
    • www.micronuke.net
    • www.stadthagen.org
    • www.beasty-cars.de
    • www.polohexe.de
    • www.bino88.de
    • www.grefrathpaenz.de
    • www.bhamidy.de
    • www.mystic-vws.de
    • www.auto-hobby-essen.de
    • www.polozicke.de
    • www.twr-music.de
    • www.sc-erbendorf.de
    • www.montania.de
    • www.medi-martin.de
    • vvcgn.de
    • www.ballonfoto.com
    • www.marder-gmbh.de
    • www.dvd-filme.com
    • www.smeangol.com
       

    All Users :
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Stand-alone Remover
     Stinger has been updated to include detection and removal for this threat.

    Manual Removal Instructions
    To remove this virus "by hand", follow these steps:

    1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
      - WinNT/2K/XP - Terminate the process BBEAGLE.EXE
    2. Delete the file BBEAGLE.EXE  from your WINDOWS SYSTEM directory (typically c:\windows\system32 or c:\winnt\system32)
    3. Edit the registry
      • Delete the "d3dupdate.exe" value from
        • HKEY_CURRENT_USER\SOFTWARE\Microsoft\
          Windows\CurrentVersion\Run

    Additional Windows ME/XP removal considerations

    Sniffer Customers: Filters have been developed that will look for Bagle traffic [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

    McAfee Security Threatscan:
    ThreatScan signatures that can detect the W32/Bagle@MM virus are available.