Mikes VirusInfo BAGLE

Back To MYTECH
Virus Characteristics provided by McAfee Security Back to Top

-- Update February 17th 2004 --

The risk assessment of this threat has been raised to Medium due to increased prevalence.

--

This is a mass-mailing worm with the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • harvests email addresses from the victim machine
  • the From: address of messages is spoofed
  • contains a remote access component (notification is sent to hacker)

Users are reminded that the scanning of compressed files (default option) is required for detection.

Like its predecessor , this worm checks the system date. If it is the 25th February 2004 or later, the worm simply exits and does not propagate.

If the date check is satisfied, the virus executes the standard Windows Sound Recorder (SNDREC32.EXE) application. The virus uses the same icon as this application:

The virus copies itself into the Windows system directory as AU.EXE, for example:

  • C:\WINNT\SYSTEM32\AU.EXE

The following Registry key is added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "au.exe" = C:\WINNT\SYSTEM32\AU.EXE

Additionally, the following two Registry keys are added:

  • HKEY_CURRENT_USER\Software\Windows2000 "frn"
  • HKEY_CURRENT_USER\Software\Windows2000 "gid"

Indications of Infection Back to Top
  • Port 8866 (TCP) open on the victim machine
  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described
Method of Infection Back to Top

Mail Propagation
This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

  • .WAB
  • .TXT
  • .HTM
  • .HTML

The virus spoofs the sender address by using a harvested address in the From: field.

Messages are constructed as follows:

From : (address is spoofed)
Subject : ID (string)... thanks
Body :
Yours ID (string2)
--
Thank

Attachment : randomly named binary (11,264 bytes) with .EXE file extension.

Where "string" and "string2" are random strings.

The virus avoids sending itself to addresses containing the following:

  • @hotmail.com
  • @msn.com
  • @microsoft
  • @avp.

Remote Access Component
The virus listens on TCP port 8866 for remote connections. The functionality this backdoor provides to the hacker is currently under investigation.

A notification is sent to the author(s) via HTTP. A GET request (containing the port number and "id") is sent to a PHP script on remote server(s). Users are recommended to block access to the following domains:

  • http://www.47df.de
  • http://www.strato.de
  • http://intern.games-ring.de

Removal Instructions Back to Top

All Users :
Use specified engine and DAT files for detection and removal.

The following EXTRA.DAT packages are being made available prior to the regularly scheduled weekly DAT release (working with EXTRA.DAT files ).

EXTRA.DAT
SUPER EXTRA.DAT

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stinger
Stinger  has been updated to assist in detecting and repairing this threat.

McAfee IntruShield
McAfee IntruShield already provides a generic signature to protect against this worm as well as its original form W32/Bagle. The generic signature covers all commonly used attachment types for worms. To stop the propagation, the customer can enable blocking for the signature "SMTP: Worm Detected in Attachment" in their policy. For customers wishing to identify this worm individually, a new user defined signature has been released. This worm can be blocked by enabling blocking on signature "UDS-SMTP: Worm bagle.b Detected" in the customer's policy.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    - WinNT/2K/XP - Terminate the process AU.EXE
  2. Delete the file AU.EXE  from your WINDOWS SYSTEM directory (typically c:\windows\system32 or c:\winnt\system32)
  3. Edit the registry
    • Delete the "au.exe" value from
      • HKEY_CURRENT_USER\SOFTWARE\Microsoft\
        Windows\CurrentVersion\Run

Sniffer Customers: Filters have been developed that will look for Bagle traffic [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

Additional Windows ME/XP removal considerations

Aliases Back to Top
I-Worm.Bagle.b (AVP), W32.Alua@mm (NAV), W32.Aula@mm (NAV), W32/Tanx.A-mm, W32/Yourid.A.worm (Panda), Win32.HLLM.Strato.16896 (Dialogue Science), WORM_BAGLE.B (Trend)
 

Detailed technical description of the worm as well as screenshots are
available in the F-Secure Virus Description Database at
http://www.f-secure.com/v-descs/bagle_b.shtml

F-Secure Anti-Virus can detect and remove the Bagle.B worm. F-Secure
Anti-Virus can be downloaded from http://www.f-secure.com. F-Secure has also
released a free disinfection tool, which can be used to remove Bagle.B from
infected systems.

Bagle Removers
Bagle is a mass-mailing worm that was found on 18th of January, 2004.
The worm sends messages with the subject 'Hi' and random EXE attachment
names. It has been programmed to stop spreading on 28th of January.
The Bagle removal tool can be downloaded in a ZIP file from:
http://www.f-secure.com/tools/f-bagle.zip

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip

The unpacked version is available from:
http://www.f-secure.com/tools/f-bagle.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe
http://www.f-secure.com/tools/f-bagle.txt
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt
from information provided by F-secure


For more information;
Kaspersky Labs: (I-Worm.Bagle.b)
(http://www.viruslist.com/eng/viruslist.html?id=984012

McAfee; (W32/Bagle.b@MM)
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101030
On line Scan for W32/Bagle.b@MM:
http://us.mcafee.com/root/mfs/default.asp

Panda; (Bagle.B worm)
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?
Panda Software has released its PQremove utility which detects
and eliminates the Bagle.B worm from infected computers.
This application also restores any changes this worm has made to
the system configuration.

This tool can be downloaded free of charge from
http://www.pandasoftware.com/download/utilities.

Symantec; (W32.Beagle.B@mm )
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.b@mm.html

Trend; ( WORM_BAGLE.B )
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.B
Remover; http://www.trendmicro.com/download/dcs.asp

Mike's VIRUS INFO PAGES
To VIRUS INFO main
To Mike's VIRUS INFO Page 2
To Mike's VIRUS INFO HACKFIX TIPS Page 3
To HACKFIX PROGRAM UPDATES Page 4
To ME_XP Restore
Uninstalling_Norton_AV
Mike's VirusInfo Virus Information Feeds
Mike's Virus Removers
VIRUS ALERTS Feed
My Doom Information