I-Worm.Bagle

Name: Win32.Bbgle.A@mm
Aliases: none
Type: Executable Trojan Mass Mailer
Size: 15872
Discovered: 18.01.2004
Detected: 18.01.2004
Spreading: High
Damage: Medium
In The Wild: Single report

Symptoms:
-presence of the bbeagle.exe file in %sysdir%
-presence of the following registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe with value %sysdir%\bbeagle.exe
HKCU\Software\Windows98\frun with value 1
HKCU\Software\Windows98\uid with value a random generated number.

more: http://www.bitdefender.com

KAV, McAfee( DAILY DAT beta files), Norton (beta)NOD32 (heuristics & signs) and BitDefender detect this one with no problems.


tECHNODROME

 

TrendMicro:

TrendLabs HQ received several reports, initially from the US and subsequently from Europe, of this new worm spreading via email. As of January 18, 2004 5:13 PM (US Pacific Time), TrendLabs has declared a yellow alert to control the spread of WORM_BAGLE.A.

Read more:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.A

 

Sophos:

http://www.sophos.com/virusinfo/analyses/w32baglea.html

 

Symantec:

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html


edit:

Due to the character @ in above mentioned link to the Symantec site, it is not possible to make it clickable.
So copy and paste the whole url into your browser.

 

Info on Bugtraq is warning that this worm is gathering steam...heads-up, everyone...

 

You can say that again. Got my first copies today. Both NOD and NAV responded satisfactory I might add.

Regards,

Pieter

 

Trend Newsletter: WORM_BAGLE.A

WORM_BAGLE.A is a non-destructive worm that sends email to addresses gathered from files with certain extensions, adding itself as an attachment. It uses Simple Mail Transfer Protocol (SMTP) to send itself via email, and it is currently spreading in-the-wild. It affects systems running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this memory-resident worm checks the current computer system date. It terminates if the system date is January 28, 2004 or later.

It drops a copy of itself in the Windows system folder using the file name BBEAGLE.EXE. It then creates two registry entries that allow it to run at every Windows startup.

This malware uses SMTP in order to perform its mailing routine. To propagate via email, it searches for and acquires email addresses from files with the following extensions:

WAB
TXT
HTM
HTML

It avoids email addresses that contain the following strings:

.r1
@hotmail.com
@msn.com
@microsoft
@avp

It sends email to the obtained addresses and takes from the same pool to spoof or forge the sender addresses (as shown on the FROM field of its messages). It spawns a thread to send out an email for each recipient address.

The email it sends contains the following details:

Subject: Hi
Message Body: Test =)
Bqkqcjenbjycliy
--
Test, yep.
Attachment: ltdm.exe

The attachment name and the text strings after "Test=)" are randomly generated characters. The email address that appears in the FROM field is also not authentic, but is a randomly chosen email address obtained from the infected machine.

If this worm's file name is not %System%\BBEAGLE.EXE, it executes CALC.EXE (Windows Calculator program). While running in the background, it proceeds with its malicious activities. If the user terminates the Windows Calculator application, this worm still executes, as it is actually a separate program. If it runs CALC.EXE directly, this worm fails to activate.

WORM_BAGLE.A also opens and listens to port 6777 on the infected machine to receive remote commands. It allows a malicious user to take control of the infected system, compromising network and local security.

If you would like to scan your computer for WORM_BAGLE.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_BAGLE.A is detected and cleaned by Trend Micro pattern file #729 and above.