Tilted Forum Project Discussion Community  

Go Back   Tilted Forum Project Discussion Community > Interests > Tilted Technology
Worm Alert: Bagle Worm Alert: Bagle

Donate now! Members List


 
 
LinkBack Thread Tools
Old 01-20-2004, 07:32 AM   #1 (permalink)
Right Now
 
Location: Home
Worm Alert: Bagle
The latest worm to exploit Microsoft's mass mailing features. Note that it uses the IRC port 6667 to "own" your computer.

Link

Quote:
Virus Characteristics:

This is a mass-mailing worm with a remote access component. The worm arrives in an email message with the following characteristics:

From: (address may be forged)
Subject: Hi
Body:
Test =)
(random characters)
--
Test, yep.

Attachment: (random filename) 15,872 bytes

example:

frjujs.exe

When the attachment is run, the virus checks the system date. If the date is January 28, 2004 or later, the virus simply exits and does not propagate. Otherwise, the virus executes the standard Windows calculator program CALC.EXE. Meanwhile, the virus copies itself to the WINDOWS SYSTEM directory (%SysDir%) as bbeagle.exe , and creates a registry key to load itself at system startup:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "d3dupdate.exe" = C:\WINNT\System32\bbeagle.exe

Two additional keys are created:

* HKEY_CURRENT_USER\Software\Windows98 "frun"
* HKEY_CURRENT_USER\Software\Windows98 "uid"

Mass-mailing Component
The worm harvests addresses from the following files and mails itself to those recipients, using its own SMTP engine.

* .wab
* .txt
* .htm
* .html

The virus spoofs the sender address by using a harvested address in the FROM field. The first message sent by the virus uses the same harvested address in the TO and FROM fields. The second message is sent to a different address, while the FROM field remains the same. The third message is sent to a third address, and the FROM field contains the second address and so on.

The virus does not mass-mail itself to addresses that contain one of the following strings:

* @hotmail.com
* @msn.com
* @microsoft
* @avp.

Remote Access Component
The virus listens on TCP port 6777 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script does not exist on any of these sites.

* www.elrasshop.de
* www.it-msc.de
* www.getyourfree.net
* www.dmdesign.de
* 64.176.228.13
* www.leonzernitsky.com
* 216.98.136.248
* 216.98.134.247
* www.cdromca.com
* www.kunst-in-templin.de
* vipweb.ru
* antol-co.ru
* www.bags-dostavka.mags.ru
* www.5x12.ru
* bose-audio.net
* www.sttngdata.de
* wh9.tu-dresden.de
* www.micronuke.net
* www.stadthagen.org
* www.beasty-cars.de
* www.polohexe.de
* www.bino88.de
* www.grefrathpaenz.de
* www.bhamidy.de
* www.mystic-vws.de
* www.auto-hobby-essen.de
* www.polozicke.de
* www.twr-music.de
* www.sc-erbendorf.de
* www.montania.de
* www.medi-martin.de
* vvcgn.de
* www.ballonfoto.com
* www.marder-gmbh.de
* www.dvd-filme.com
* www.smeangol.com

Top of Page

Symptoms
# System listening on TCP port 6777
# Presence of the file bbeagle.exe in the WINDOWS SYSTEM directory
Top of Page

Method Of Infection

Manually executing an infected email attachment infects the local system, which is then used to email the virus to others.
Top of Page

Removal Instructions

All Users :
Use current engine and DAT files for detection and removal.

Alternatively, the following EXTRA.DAT packages are available.
EXTRA.DAT
SUPER EXTRA.DAT

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stand-alone Remover
Stinger has been updated to include detection and removal for this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
- WinNT/2K/XP - Terminate the process BBEAGLE.EXE
2. Delete the file BBEAGLE.EXE from your WINDOWS SYSTEM directory (typically c:\windows\system32 or c:\winnt\system32)
3. Edit the registry
* Delete the "d3dupdate.exe" value from
o HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run

Additional Windows ME/XP removal considerations
Top of Page

Variants
Name Type Sub Type Differences
Top of Page

Aliases
Name
I-Worm.Bagle (AVP)
W32.Beagle.A@mm (Symantec)
W32/Bagle-A (Sophos)
W32/Bagle.A@mm (F-Secure)
WORM_BAGLE.A (Trend)
Peetster is offline  
Old 01-20-2004, 07:44 AM   #2 (permalink)
Invisible
 
yournamehere's Avatar
 
Location: tentative, at best
Thanks for the heads-up, but why on earth would anyone <i>ever</i> open an attachment that ends in .exe?

Hmmm . . . nevermind - there are always those who will.
And I'm sure I'm in the address book of a few of them.
__________________
If you want to avoid 95% of internet spelling errors:
"If your ridiculous pants are too loose, you're definitely going to lose them. Tell your two loser friends over there that they're going to lose theirs, too."
It won't hurt your fashion sense, either.
yournamehere is offline  
Old 01-20-2004, 07:54 AM   #3 (permalink)
Fear the bunny
 
Location: Hanging off the tip of the Right Wing
Quote:
Originally posted by yournamehere
Thanks for the heads-up, but why on earth would anyone <i>ever</i> open an attachment that ends in .exe?

Hmmm . . . nevermind - there are always those who will.
And I'm sure I'm in the address book of a few of them.
Because 99% of PC users are complete idiots. Don't pretend you're surprised.
__________________
Activism is a way for useless people to feel important.
BoCo is offline  
Old 01-20-2004, 10:58 AM   #4 (permalink)
hovering in the distance
 
Location: the land of milk and honey
he heh, idiots thanks for the tip.
__________________
no signature required
moonstrucksoul is offline  
Old 01-20-2004, 01:20 PM   #5 (permalink)
Holy Knight of The Alliance
 
Location: Stormwind, The Eastern Kingdoms, Azeroth
Quote:
Originally posted by BoCo
Because 99% of PC users are complete idiots. Don't pretend you're surprised.
that's the damn truth

working in the computer labs up here at Appalachian have taught me that most people just don't have a fucking clue.
__________________
What do you say to one last showdown?
- Ocelot, Metal Gear Solid 3

The password is "Who are the Patriots?" and "La-Li-Lu-Le-Lo." "La-Li-Lu-Le-Lo." Gotcha.
- The Colonel and Snake, Metal Gear Solid 3
bltzkriegmcanon is offline  
Old 01-20-2004, 05:51 PM   #6 (permalink)
Banned
 
Location: back to my old location
Thanks for the tip.

Will a patch be needed?
edit:Probably not but just to make sure.
VF19 is offline  
Old 01-20-2004, 05:53 PM   #7 (permalink)
Thor
 
micah67's Avatar
 
Location: 33:08:12N 117:10:23W
"Yeah, but the email came from someone I know. I thought it would be safe."

True story. 5 hours old.
__________________
~micah
micah67 is offline  
Old 01-20-2004, 07:13 PM   #8 (permalink)
Banned
 
Location: shittown, CA
Quote:
Originally posted by yournamehere
Thanks for the heads-up, but why on earth would anyone <i>ever</i> open an attachment that ends in .exe?

Hmmm . . . nevermind - there are always those who will.
And I'm sure I'm in the address book of a few of them.
also a massive chunk of MS users still use 95/98/ME and other systems where outlook auto runs scripts, exe's and other crap. So even though it's FINALLY off by default in new versions all these old systems are still wide open.
juanvaldes is offline  
 

Tags
alert, bagle, worm

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -8. The time now is 02:54 AM.

Tilted Forum Project
Contact Us - Tilted Forum Project - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360