Bagel worm spreads around world
WW32/BAGLE@MM harvests addresses from local files and allows hackers to upload programs to infected PCs
An internet worm that can enable hackers to take control of infected PCs is spreading around the world.
The worm, W32/BAGLE@MM, also known as Bagle, harvests addresses from local .wab, .txt, .htm, and .html files.
Antivirus company Sophos said it has received "many" reports of the worm, which sends itself to addresses taken from files on the hard disk.
"The worm spoofs the 'from' field in emails it sends, which means it may appear to have come from someone you know," the company said in a statement.
The worm includes a back door component that listens on TCP port 6777. This allows an attacker to upload and execute arbitrary programs on infected computers.
It attempts to notify the virus author of its readiness to accept commands by contacting various websites and trying to activate a script that identifies the compromised computer.
Users should delete any email containing the following:
================
From: (address may be forged)
Subject: Hi
Body:
Test =)
(random characters)
--
Test, yep.
Attachment: (random filename) 15,872 bytes
example:
frjujs.exe
===================
Sophos said the worm will not activate on PCs with a system date of 28 January 2004 or later.
SOURCE
********************************************************************
Virus Name: W32/Bagle@MM
Risk Assessment
Corporate User:Low
Home User:Low
Virus Information
Discovery Date:01/18/2004
Origin:Unknown
Length:15,872 bytes
Type:Virus
SubType:E-mail
Minimum DAT:4316
Release Date:01/21/2004
Minimum Engine:4.2.40
Description Added:01/18/2004
Description Modified:01/18/2004 12:07 PM (PT)
Description Menu
Legend
Virus Characteristics:
This is a mass-mailing worm with a remote access component. The worm arrives in an email message with the following characteristics:
Subject: Hi
Attachment: (random filename) 15,872 bytes
example:
frjujs.exe
When the attachment is run, the virus executes the standard Windows calculator program CALC.EXE, while the virus copies itself to the WINDOWS SYSTEM directory (%SysDir%) as bbeagle.exe , and creates a registry key to load itself at system startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "d3dupdate.exe" = C:\WINNT\System32\bbeagle.exe
Two additional keys are created:
HKEY_CURRENT_USER\Software\Windows98 "frun"
HKEY_CURRENT_USER\Software\Windows98 "uid"
Mass-mailing Component
The worm harvests addresses from the following files and mails itself to those recipients, using its own SMTP engine.
.wab
.txt
.htm
.html
Remote Access Component
The virus listens on TCP port 6777 for remote connections. It intends to notify the author of an infected system that is awaiting commands, by contacting various websites, calling a PHP script located on the remote sites. At the time of this writing the script in question does not exist on any of these sites.
www.elrasshop.de
www.it-msc.de
www.getyourfree.net
www.dmdesign.de
64.176.228.13
www.leonzernitsky.com
216.98.136.248
216.98.134.247
www.cdromca.com
www.kunst-in-templin.de
vipweb.ru
antol-co.ru
www.bags-dostavka.mags.ru
www.5x12.ru
bose-audio.net
www.sttngdata.de
wh9.tu-dresden.de
www.micronuke.net
www.stadthagen.org
www.beasty-cars.de
www.polohexe.de
www.bino88.de/1.php
www.grefrathpaenz.de
www.bhamidy.de
www.mystic-vws.de
www.auto-hobby-essen.de
www.polozicke.de
www.twr-music.de
www.sc-erbendorf.de
www.montania.de
www.medi-martin.de
vvcgn.de
www.ballonfoto.com
www.marder-gmbh.de
www.dvd-filme.com
www.smeangol.com
Symptoms
System listening on TCP port 6777
Presence of the file bbeagle.exe in the WINDOWS SYSTEM directory
Method Of Infection
Manually executing an infected email attachment infects the local system, which is then used to email the virus to others.
Removal Instructions
Detection is included in our DAILY DAT (beta) files and will also be included in the next weekly DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
Additional Windows ME/XP removal considerations
Aliases
Name
I-Worm.Bagle (AVP)
W32.Beagle.A@mm (Symantec)
Source:
http://vil.nai.com/vil/content/v_100965.htm
Additional information from Kaspersky labs
I-Worm.Bagle
[ 01/18/2004 17:09 ]
Danger : moderate risk
This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file about 15KB of length. The message sent by the worm looks like that:
From:
random sender
Subject:
Hi
Body:
Test =)
Signature:
Test, yep
Attachment:
random name
Installing
The worm activates from infected email only in case a user clicks on attached file. While installing the worm copies itself to System directory with the name bbeagle.exe and registers that file in system registry auto-run key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
d3dupdate.exe = %system%\bbeagle.exe
Also the worm run "calc.exe" Windows application. The worm attempts to download and execute "TrojanProxy.Win32.Mitglieder" from several remote sities.
Spreading
The worm looks for disk files with following extensions: .wab .txt .htm .html .r1 and scans them for email-like text strings, then sends infected messages to the email addresses found. To send infected messages the worm uses SMTP engine.
Source:
http://www.viruslist.com/eng/alert.html?id=783050
Additional information from Bitdefender
Win32.Bbgle.A@mm
Name: Win32.Bbgle.A@mm
Aliases: none
Type: Executable Trojan Mass Mailer
Size: 15872
Discovered: 18.01.2004
Detected: 18.01.2004
Spreading: High
Damage: Medium
In The Wild: Single report
Symptoms:
-presence of the bbeagle.exe file in %sysdir%
-presence of the following registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe with value %sysdir%\bbeagle.exe
HKCU\Software\Windows98\frun with value 1
HKCU\Software\Windows98\uid with value a random generated number.
Technical description:
This is an Internet worm that is spreading trough e-mail.
It arrives in the following format:
Subject:
Hi
Body:
Test =)
%randomstring%
Test, yep.
Attachment:
%randomstring%.exe
where %randomstring% is a randomly generated string.
When the user opens the attachment the worm copies itself in %sysdir% under the name bbeagle.exe and it adds the following registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe with value:
%sysdir%\bbeagle.exe
and
HKCU\Software\Windows98\frun with value 1
HKCU\Software\Windows98\uid with value a random generated number.
Note:
%sysdir% represents the windows system directory (usually c:\windows\system).
After this the worm executes calc.exe and it starts searching for e-mails in files with the following extensions:
*.wab
*.txt
*.htm
*.html
After it gathers the e-mail addresses it tries to send itself to all the e-mail addresses it found.
The worm starts a thread that listens for connections from a remote machine. This connection it is used for downloading a file and executing it. This is a possible auto update mechanism.
Then it sends a notification message to a list of 36 web sites. The message contains information for about the infected computer. This information will be used for uploading other executable files to the infected computers.
Removal instructions:
Let BitDefender delete the infected files it finds
Removal tool:
N/A
Virus analyzed by:
Sorin Victor Dudea
Source:
http://www.bitdefender.com/bd/site/v..._id=1&v_id=182
Bookmarks