|
Name: Bagle (w32.bagle.a@mm) What it does: Attempts to e-mail others Means of transmission: E-mail How to recognise: E-mail with "Hi" in the subject line and unusual activity on port 6777 Who is at risk: Windows users |
When executed, Bagle attempts to e-mail every e-mail address it finds on an infected computer; it will also attempt to download a Trojan horse from a remote site. Bagle appears to be the first of a new family of viruses. Like Sobig, it contains a built-in expiration date; in this case, it's January 28, 2004. Because Bagle spreads via e-mail and could install a Trojan horse program, this worm rates a 7 on the CNET Virus Meter.
How it works
Bagle arrives as an e-mail message with the subject line -Hi." It appears to be sent from a random e-mail address. The body text reads -Test =)" followed by random letters. The attached file, too, uses random letters followed by an .exe extension. The attached file may use the Windows calculator icon.
When executed, the worm will collect e-mail addresses from address books, text, and HTML files. The worm will not, however, contact addresses using the following domains:
After January 28, 2004, Bagle will not execute.
According to iDefense, Bagle will make the following changes to the system Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run d3update.exe=WINDOWS SYSTEM DIRECTORY\bbeagle.exe
HKU\%SystemInfo%\Software\Microsoft\Windows\CurrentVersion\Run d3update.exe=WINDOWS SYSTEM DIRECTORY\bbeagle.exe
HKCU\Software\Windows98 frun=1 uid=RANDOMIZED VALUE
Bagle also attempts to download a Trojan horse from a remote site. To do so, it attempts to communicate on port 6777. Desktop firewalls should be able to detect and stop this activity. In theory, this downloaded Trojan would allow the virus author at some future date to update or modify the worm. At this time, however, all the sites Bagle attempts to contact appear to be inactive.
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, MessageLabs, Norman, Sophos, Symantec, and Trend Micro.
4%
4%
