Virus Profile: W32/Bagle.b@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 2/17/2004
Date Added: 2/17/2004
Origin: Unknown
Length: 11,264 bytes (UPXed)
Type: Virus
Subtype: E-mail
DAT Required: 4324
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Port 8866 (TCP) open on the victim machine
  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described

Methods of Infection

Mail Propagation
This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

  • .WAB
  • .TXT
  • .HTM
  • .HTML

The virus spoofs the sender address by using a harvested address in the From: field.

Messages are constructed as follows:

From : (address is spoofed)
Subject : ID (string)... thanks
Body :
Yours ID (string2)
--
Thank

Attachment : randomly named binary (11,264 bytes) with .EXE file extension.

Where "string" and "string2" are random strings.

The virus avoids sending itself to addresses containing the following:

  • @hotmail.com
  • @msn.com
  • @microsoft
  • @avp.

Remote Access Component
The virus listens on TCP port 8866 for remote connections. The functionality this backdoor provides to the hacker is currently under investigation.

A notification is sent to the author(s) via HTTP. A GET request (containing the port number and "id") is sent to a PHP script on remote server(s). Users are recommended to block access to the following domains:

  • http://www.47df.de
  • http://www.strato.de
  • http://intern.games-ring.de

Aliases

I-Worm.Bagle.b (AVP), W32.Alua@mm (NAV), W32.Aula@mm (NAV), W32/Tanx.A-mm, W32/Yourid.A.worm (Panda), Win32.HLLM.Strato.16896 (Dialogue Science), WORM_BAGLE.B (Trend)
   

Virus Characteristics

-- Update February 25th 2004 --
The assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence.

-- Update February 17th 2004 --
The risk assessment of this threat has been raised to Medium due to increased prevalence.

This is a mass-mailing worm with the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • harvests email addresses from the victim machine
  • the From: address of messages is spoofed
  • contains a remote access component (notification is sent to hacker)

Users are reminded that the scanning of compressed files (default option) is required for detection.

Like its predecessor , this worm checks the system date. If it is the 25th February 2004 or later, the worm simply exits and does not propagate.

If the date check is satisfied, the virus executes the standard Windows Sound Recorder (SNDREC32.EXE) application. The virus uses the same icon as this application:

The virus copies itself into the Windows system directory as AU.EXE, for example:

  • C:\WINNT\SYSTEM32\AU.EXE

The following Registry key is added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "au.exe" = C:\WINNT\SYSTEM32\AU.EXE

Additionally, the following two Registry keys are added:

  • HKEY_CURRENT_USER\Software\Windows2000 "frn"
  • HKEY_CURRENT_USER\Software\Windows2000 "gid"

   

All Users :
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stinger
 Stinger  has been updated to assist in detecting and repairing this threat.

McAfee IntruShield
McAfee IntruShield already provides a generic signature to protect against this worm as well as its original form W32/Bagle. The generic signature covers all commonly used attachment types for worms. To stop the propagation, the customer can enable blocking for the signature "SMTP: Worm Detected in Attachment" in their policy. For customers wishing to identify this worm individually, a new user defined signature has been released. This worm can be blocked by enabling blocking on signature "UDS-SMTP: Worm bagle.b Detected" in the customer's policy.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    - WinNT/2K/XP - Terminate the process AU.EXE
  2. Delete the file AU.EXE  from your WINDOWS SYSTEM directory (typically c:\windows\system32 or c:\winnt\system32)
  3. Edit the registry
    • Delete the "au.exe" value from
      • HKEY_CURRENT_USER\SOFTWARE\Microsoft\
        Windows\CurrentVersion\Run

Sniffer Customers: Filters have been developed that will look for Bagle traffic [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

Additional Windows ME/XP removal considerations