Worm Alert: Bagle - Tilted Forum Project Discussion Community

Peetster · 01-20-2004, 07:32 AM

The latest worm to exploit Microsoft's mass mailing features. Note that it uses the IRC port 6667 to "own" your computer.

Link

Quote:

Virus Characteristics:

This is a mass-mailing worm with a remote access component. The worm arrives in an email message with the following characteristics:

From: (address may be forged)
Subject: Hi
Body:
Test =)
(random characters)
--
Test, yep.

Attachment: (random filename) 15,872 bytes

example:

frjujs.exe

When the attachment is run, the virus checks the system date. If the date is January 28, 2004 or later, the virus simply exits and does not propagate. Otherwise, the virus executes the standard Windows calculator program CALC.EXE. Meanwhile, the virus copies itself to the WINDOWS SYSTEM directory (%SysDir%) as bbeagle.exe , and creates a registry key to load itself at system startup:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "d3dupdate.exe" = C:\WINNT\System32\bbeagle.exe

Two additional keys are created:

* HKEY_CURRENT_USER\Software\Windows98 "frun"
* HKEY_CURRENT_USER\Software\Windows98 "uid"

Mass-mailing Component
The worm harvests addresses from the following files and mails itself to those recipients, using its own SMTP engine.

* .wab
* .txt
* .htm
* .html

The virus spoofs the sender address by using a harvested address in the FROM field. The first message sent by the virus uses the same harvested address in the TO and FROM fields. The second message is sent to a different address, while the FROM field remains the same. The third message is sent to a third address, and the FROM field contains the second address and so on.

The virus does not mass-mail itself to addresses that contain one of the following strings:

* @hotmail.com
* @msn.com
* @microsoft
* @avp.

Remote Access Component
The virus listens on TCP port 6777 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script does not exist on any of these sites.

* www.elrasshop.de
* www.it-msc.de
* www.getyourfree.net
* www.dmdesign.de
* 64.176.228.13
* www.leonzernitsky.com
* 216.98.136.248
* 216.98.134.247
* www.cdromca.com
* www.kunst-in-templin.de
* vipweb.ru
* antol-co.ru
* www.bags-dostavka.mags.ru
* www.5x12.ru
* bose-audio.net
* www.sttngdata.de
* wh9.tu-dresden.de
* www.micronuke.net
* www.stadthagen.org
* www.beasty-cars.de
* www.polohexe.de
* www.bino88.de
* www.grefrathpaenz.de
* www.bhamidy.de
* www.mystic-vws.de
* www.auto-hobby-essen.de
* www.polozicke.de
* www.twr-music.de
* www.sc-erbendorf.de
* www.montania.de
* www.medi-martin.de
* vvcgn.de
* www.ballonfoto.com
* www.marder-gmbh.de
* www.dvd-filme.com
* www.smeangol.com

Top of Page

Symptoms
# System listening on TCP port 6777
# Presence of the file bbeagle.exe in the WINDOWS SYSTEM directory
Top of Page

Method Of Infection

Manually executing an infected email attachment infects the local system, which is then used to email the virus to others.
Top of Page

Removal Instructions

All Users :
Use current engine and DAT files for detection and removal.

Alternatively, the following EXTRA.DAT packages are available.
EXTRA.DAT
SUPER EXTRA.DAT

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stand-alone Remover
Stinger has been updated to include detection and removal for this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
- WinNT/2K/XP - Terminate the process BBEAGLE.EXE
2. Delete the file BBEAGLE.EXE from your WINDOWS SYSTEM directory (typically c:\windows\system32 or c:\winnt\system32)
3. Edit the registry
* Delete the "d3dupdate.exe" value from
o HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run

Additional Windows ME/XP removal considerations
Top of Page

Variants
Name Type Sub Type Differences
Top of Page

Aliases
Name
I-Worm.Bagle (AVP)
W32.Beagle.A@mm (Symantec)
W32/Bagle-A (Sophos)
W32/Bagle.A@mm (F-Secure)
WORM_BAGLE.A (Trend)

yournamehere · 01-20-2004, 07:44 AM

Thanks for the heads-up, but why on earth would anyone ever open an attachment that ends in .exe?

Hmmm . . . nevermind - there are always those who will.
And I'm sure I'm in the address book of a few of them.

BoCo · 01-20-2004, 07:54 AM

Quote:

Originally posted by yournamehere
Thanks for the heads-up, but why on earth would anyone ever open an attachment that ends in .exe?

Hmmm . . . nevermind - there are always those who will.
And I'm sure I'm in the address book of a few of them.

Because 99% of PC users are complete idiots. Don't pretend you're surprised.

moonstrucksoul · 01-20-2004, 10:58 AM

he heh, idiots thanks for the tip.

bltzkriegmcanon · 01-20-2004, 01:20 PM

Quote:

Originally posted by BoCo
Because 99% of PC users are complete idiots. Don't pretend you're surprised.

that's the damn truth

working in the computer labs up here at Appalachian have taught me that most people just don't have a fucking clue.

VF19 · 01-20-2004, 05:51 PM

Thanks for the tip.

Will a patch be needed?
edit:Probably not but just to make sure.

micah67 · 01-20-2004, 05:53 PM

"Yeah, but the email came from someone I know. I thought it would be safe."

True story. 5 hours old.

juanvaldes · 01-20-2004, 07:13 PM

Quote:

Originally posted by yournamehere
Thanks for the heads-up, but why on earth would anyone ever open an attachment that ends in .exe?

Hmmm . . . nevermind - there are always those who will.
And I'm sure I'm in the address book of a few of them.

also a massive chunk of MS users still use 95/98/ME and other systems where outlook auto runs scripts, exe's and other crap. So even though it's FINALLY off by default in new versions all these old systems are still wide open.

01-20-2004, 07:44 AM	#2 (permalink)
yournamehere Invisible Location: tentative, at best	Thanks for the heads-up, but why on earth would anyone <i>ever</i> open an attachment that ends in .exe? Hmmm . . . nevermind - there are always those who will. And I'm sure I'm in the address book of a few of them. __________________ If you want to avoid 95% of internet spelling errors: "If your ridiculous pants are too loose, you're definitely going to lose them. Tell your two loser friends over there that they're going to lose theirs, too." It won't hurt your fashion sense, either.

01-20-2004, 10:58 AM	#4 (permalink)
moonstrucksoul hovering in the distance Location: the land of milk and honey	he heh, idiots thanks for the tip. __________________ no signature required

01-20-2004, 05:53 PM	#7 (permalink)
micah67 Thor Location: 33:08:12N 117:10:23W	"Yeah, but the email came from someone I know. I thought it would be safe." True story. 5 hours old. __________________ ~micah

01-20-2004, 05:51 PM	#6 (permalink)
VF19 Banned Location: back to my old location	Thanks for the tip. Will a patch be needed? edit:Probably not but just to make sure.