VIRUS ALERT! Win32.Bagle.A

Dean[AU]

Dean[AU]

New Member
Original Poster
Win32.Bagle.A is an Internet worm that spreads via e-mail. It also appears that the writer intended for the worm to contain some backdoor functionality, however, due to bugs in the code, this fails to function.

Method of Installation
When executed, Bagle.A copies itself to the %System% directory as bbeagle.exe. This file uses the calculator icon:



It also adds the following registry key to ensure that this copy is executed at Windows start:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate
.exe = "%System%\bbeagle.exe"

Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

Additionally, it creates two further registry keys:

HKCU\Software\Windows98\frun = 1
HKCU\Software\Windows98\uid = <eight digits>

Method of Distribution
Via E-mail
Bagle spreads via e-mail using its own SMTP engine. It generates a list of addresses to send itself to by scanning and searching .wab, .txt, .htm, and .html files on an affected machine. It also uses these addresses in order to 'spoof' the 'From' address.

While scanning the worm will avoid any addresses containing @hotmail.com, @msn.com, @microsoft, and @avp. Presumably, this is done to avoid immediate detection.

The message has the following characteristics:
Subject: Hi

Message Body:

Test =)
<random characters>
--
Test, yep.
Click to expand...

The attachment uses an .exe file extension and consists of 3 - 11 randomly-generated lowercase characters.



Payload
Backdoor Functionality
The worm opens port 6777 ready to accept incoming connections from a remote user, giving unauthorized access to an affected machine, however, this does not appear to function properly.

It attempts to contact particular web sites. This is presumably to register an infected computers IP address. The sites do not appear to be active at the time of writing:

http://www.elrasshop.de/1.php
http://www.it-msc.de/1.php
http://www.getyourfree.net/1.php
http://www.dmdesign.de/1.php
http://64.176.228.13/1.php
http://www.leonzernitsky.com/1.php
http://216.98.136.248/1.php
http://216.98.134.247/1.php
http://www.cdromca.com/1.php
http://www.kunst-in-templin.de/1.php
http://vipweb.ru/1.php
http://antol-co.ru/1.php
http://www.bags-dostavka.mags.ru/1.php
http://www.5x12.ru/1.php
http://bose-audio.net/1.php
http://www.sttn.de/1.php
http://wh9.tu-dresden.de/1.php
http://www.micronuke.net/1.php
http://www.stadthagen.org/1.php
http://www.beasty-cars.de/1.php
http://www.polohexe.de/1.php
http://www.bino88.de/1.php
http://www.grefrathpaenz.de/1.php
http://www.bhamidy.de/1.php
http://www.mystic-vws.de/1.php
http://www.auto-hobby-essen.de/1.php
http://www.polozicke.de/1.php
http://www.twr-music.de/1.php
http://www.sc-erbendorf.de/1.php
http://www.montania.de/1.php
http://www.medi-martin.de/1.php
http://vvcgn.de/1.php
http://www.ballonfoto.com/1.php
http://www.marder-gmbh.de/1.php
http://www.dvd-filme.com/1.php
http://www.smeangol.com/1.php

Additional Information
The worm will not execute after the 28th of January 2004. If the worm is running on this date, it will drop a batch file to delete itself and the batch file, (although this action appears to fail in our laboratory testing).

worm.gif
 
Woody13

Woody13

New Member
Bagle is a mass-mailing worm that was found on 18th of January, 2004. The worm sends messages with the subject 'Hi' and random EXE attachment names. The worm installs a backdoor to infected machines. Bagle has been programmed to stop spreading on 28th of January.

Here's a current update concerning Bagle that includes a removal tool:

http://www.f-secure.com/v-descs/bagle.shtml
 

Register on WDWMAGIC. This sidebar will go away, and you'll see fewer ads.

Back
Top Bottom