Results 1 to 7 of 7

Thread: Red Alert Bagel Worm

  1. #1
    Bagel worm spreads around world

    WW32/BAGLE@MM harvests addresses from local files and allows hackers to upload programs to infected PCs

    An internet worm that can enable hackers to take control of infected PCs is spreading around the world.
    The worm, W32/BAGLE@MM, also known as Bagle, harvests addresses from local .wab, .txt, .htm, and .html files.

    Antivirus company Sophos said it has received "many" reports of the worm, which sends itself to addresses taken from files on the hard disk.

    "The worm spoofs the 'from' field in emails it sends, which means it may appear to have come from someone you know," the company said in a statement.

    The worm includes a back door component that listens on TCP port 6777. This allows an attacker to upload and execute arbitrary programs on infected computers.

    It attempts to notify the virus author of its readiness to accept commands by contacting various websites and trying to activate a script that identifies the compromised computer.

    Users should delete any email containing the following:


    ================
    From: (address may be forged)

    Subject: Hi

    Body:

    Test =)

    (random characters)

    --

    Test, yep.

    Attachment: (random filename) 15,872 bytes

    example:

    frjujs.exe
    ===================


    Sophos said the worm will not activate on PCs with a system date of 28 January 2004 or later.

    SOURCE


    ********************************************************************

    Virus Name: W32/Bagle@MM

    Risk Assessment
    Corporate User:Low
    Home User:Low

    Virus Information
    Discovery Date:01/18/2004
    Origin:Unknown
    Length:15,872 bytes
    Type:Virus
    SubType:E-mail
    Minimum DAT:4316
    Release Date:01/21/2004
    Minimum Engine:4.2.40
    Description Added:01/18/2004
    Description Modified:01/18/2004 12:07 PM (PT)
    Description Menu

    Legend

    Virus Characteristics:

    This is a mass-mailing worm with a remote access component. The worm arrives in an email message with the following characteristics:

    Subject: Hi
    Attachment: (random filename) 15,872 bytes

    example:

    frjujs.exe

    When the attachment is run, the virus executes the standard Windows calculator program CALC.EXE, while the virus copies itself to the WINDOWS SYSTEM directory (%SysDir%) as bbeagle.exe , and creates a registry key to load itself at system startup:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "d3dupdate.exe" = C:\WINNT\System32\bbeagle.exe

    Two additional keys are created:
    HKEY_CURRENT_USER\Software\Windows98 "frun"
    HKEY_CURRENT_USER\Software\Windows98 "uid"

    Mass-mailing Component
    The worm harvests addresses from the following files and mails itself to those recipients, using its own SMTP engine.
    .wab
    .txt
    .htm
    .html

    Remote Access Component
    The virus listens on TCP port 6777 for remote connections. It intends to notify the author of an infected system that is awaiting commands, by contacting various websites, calling a PHP script located on the remote sites. At the time of this writing the script in question does not exist on any of these sites.

    www.elrasshop.de
    www.it-msc.de
    www.getyourfree.net
    www.dmdesign.de
    64.176.228.13
    www.leonzernitsky.com
    216.98.136.248
    216.98.134.247
    www.cdromca.com
    www.kunst-in-templin.de
    vipweb.ru
    antol-co.ru
    www.bags-dostavka.mags.ru
    www.5x12.ru
    bose-audio.net
    www.sttngdata.de
    wh9.tu-dresden.de
    www.micronuke.net
    www.stadthagen.org
    www.beasty-cars.de
    www.polohexe.de
    www.bino88.de/1.php
    www.grefrathpaenz.de
    www.bhamidy.de
    www.mystic-vws.de
    www.auto-hobby-essen.de
    www.polozicke.de
    www.twr-music.de
    www.sc-erbendorf.de
    www.montania.de
    www.medi-martin.de
    vvcgn.de
    www.ballonfoto.com
    www.marder-gmbh.de
    www.dvd-filme.com
    www.smeangol.com

    Symptoms
    System listening on TCP port 6777
    Presence of the file bbeagle.exe in the WINDOWS SYSTEM directory

    Method Of Infection

    Manually executing an infected email attachment infects the local system, which is then used to email the virus to others.

    Removal Instructions
    Detection is included in our DAILY DAT (beta) files and will also be included in the next weekly DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

    Additional Windows ME/XP removal considerations

    Aliases
    Name
    I-Worm.Bagle (AVP)
    W32.Beagle.A@mm (Symantec)

    Source:
    http://vil.nai.com/vil/content/v_100965.htm

    Additional information from Kaspersky labs

    I-Worm.Bagle
    [ 01/18/2004 17:09 ]
    Danger : moderate risk

    This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file about 15KB of length. The message sent by the worm looks like that:

    From:

    random sender
    Subject:

    Hi
    Body:

    Test =)
    Signature:

    Test, yep
    Attachment:

    random name
    Installing
    The worm activates from infected email only in case a user clicks on attached file. While installing the worm copies itself to System directory with the name bbeagle.exe and registers that file in system registry auto-run key:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    d3dupdate.exe = %system%\bbeagle.exe
    Also the worm run "calc.exe" Windows application. The worm attempts to download and execute "TrojanProxy.Win32.Mitglieder" from several remote sities.
    Spreading
    The worm looks for disk files with following extensions: .wab .txt .htm .html .r1 and scans them for email-like text strings, then sends infected messages to the email addresses found. To send infected messages the worm uses SMTP engine.

    Source:
    http://www.viruslist.com/eng/alert.html?id=783050

    Additional information from Bitdefender
    Win32.Bbgle.A@mm

    Name: Win32.Bbgle.A@mm
    Aliases: none
    Type: Executable Trojan Mass Mailer
    Size: 15872
    Discovered: 18.01.2004
    Detected: 18.01.2004
    Spreading: High
    Damage: Medium
    In The Wild: Single report

    Symptoms:
    -presence of the bbeagle.exe file in %sysdir%
    -presence of the following registry keys:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe with value %sysdir%\bbeagle.exe
    HKCU\Software\Windows98\frun with value 1
    HKCU\Software\Windows98\uid with value a random generated number.


    Technical description:
    This is an Internet worm that is spreading trough e-mail.
    It arrives in the following format:

    Subject:
    Hi

    Body:
    Test =)
    %randomstring%

    Test, yep.

    Attachment:
    %randomstring%.exe

    where %randomstring% is a randomly generated string.

    When the user opens the attachment the worm copies itself in %sysdir% under the name bbeagle.exe and it adds the following registry keys:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe with value:
    %sysdir%\bbeagle.exe
    and
    HKCU\Software\Windows98\frun with value 1
    HKCU\Software\Windows98\uid with value a random generated number.

    Note:
    %sysdir% represents the windows system directory (usually c:\windows\system).

    After this the worm executes calc.exe and it starts searching for e-mails in files with the following extensions:
    *.wab
    *.txt
    *.htm
    *.html

    After it gathers the e-mail addresses it tries to send itself to all the e-mail addresses it found.
    The worm starts a thread that listens for connections from a remote machine. This connection it is used for downloading a file and executing it. This is a possible auto update mechanism.
    Then it sends a notification message to a list of 36 web sites. The message contains information for about the infected computer. This information will be used for uploading other executable files to the infected computers.


    Removal instructions:
    Let BitDefender delete the infected files it finds

    Removal tool:
    N/A

    Virus analyzed by:
    Sorin Victor Dudea

    Source:
    http://www.bitdefender.com/bd/site/v..._id=1&v_id=182

  2. Software & Hardware   -   #2
    Lick My Lovepump
    Join Date
    May 2003
    Age
    21
    Posts
    2,657
    I thought you left this part of the forum ?

  3. Software & Hardware   -   #3
    I obtained almost all the answers, and i care too much about the members of this forum so maybe i will be back.

  4. Software & Hardware   -   #4
    fkdup74's Avatar Pneuberator.
    Join Date
    Sep 2003
    Posts
    3,554
    wtf? norton didnt auto-update?
    those feckers are gonna hear about this shit
    (whats the point in havin a legitimate subscription then? )

    oh...btw...thanks SH B)
    I am just a worthless liar. I am just an imbecile.
    I will only complicate you. Trust in me and fall as well.
    I will find a center in you. I will chew it up and leave.
    I will work to elevate you just enough to bring you down.

  5. Software & Hardware   -   #5
    uNz[i]'s Avatar Out of order
    Join Date
    Mar 2003
    Posts
    2,217
    FKDUP74 - This worm has been covered by Nortons since the 18th.
    http://securityresponse.symantec.com/[email protected]

  6. Software & Hardware   -   #6
    fkdup74's Avatar Pneuberator.
    Join Date
    Sep 2003
    Posts
    3,554
    [i]Originally posted by uNz@19 January 2004 - 10:20
    FKDUP74 - This worm has been covered by Nortons since the 18th.
    http://securityresponse.symantec.com/[email protected]
    yeah, i noticed that after visiting the site,
    but the thing is, i've had my pc on for a couple of days,
    and feckin norton didnt auto-update, had to manually run live update

    i mean, i dont mind goin and gettin the intelligent updater defs,
    (i usually do on regular basis),
    but if they put it in the live update section, feckin NAV should get em,
    think maybe i need to re-check my f/w, i did some tweakin on it,
    with "act as server" and "act as client" settings
    but i dont see this as a prob, cause i can still manually live update
    oh well, worth a try

    B)
    I am just a worthless liar. I am just an imbecile.
    I will only complicate you. Trust in me and fall as well.
    I will find a center in you. I will chew it up and leave.
    I will work to elevate you just enough to bring you down.

  7. Software & Hardware   -   #7
    Originally posted by sharedholder@19 January 2004 - 16:55
    I obtained almost all the answers, and i care too much about the members of this forum so maybe i will be back.
    Thats the best news have had in a while sharedholder

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •