I-Worm.Bagle

Discussion in 'malware problems & news' started by Technodrome, Jan 18, 2004.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Name: Win32.Bbgle.A@mm
    Aliases: none
    Type: Executable Trojan Mass Mailer
    Size: 15872
    Discovered: 18.01.2004
    Detected: 18.01.2004
    Spreading: High
    Damage: Medium
    In The Wild: Single report

    Symptoms:
    -presence of the bbeagle.exe file in %sysdir%
    -presence of the following registry keys:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe with value %sysdir%\bbeagle.exe
    HKCU\Software\Windows98\frun with value 1
    HKCU\Software\Windows98\uid with value a random generated number.

    more: http://www.bitdefender.com

    KAV, McAfee( DAILY DAT beta files), Norton (beta)NOD32 (heuristics & signs) and BitDefender detect this one with no problems.


    tECHNODROME
     
  2. FanJ

    FanJ Guest

  3. FanJ

    FanJ Guest

  4. FanJ

    FanJ Guest

    Symantec:

    http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html


    edit:

    Due to the character @ in above mentioned link to the Symantec site, it is not possible to make it clickable.
    So copy and paste the whole url into your browser.
     
  5. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Info on Bugtraq is warning that this worm is gathering steam...heads-up, everyone... :eek:
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    You can say that again. Got my first copies today. Both NOD and NAV responded satisfactory I might add. :)

    Regards,

    Pieter
     
  7. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Trend Newsletter: WORM_BAGLE.A

    WORM_BAGLE.A is a non-destructive worm that sends email to addresses gathered from files with certain extensions, adding itself as an attachment. It uses Simple Mail Transfer Protocol (SMTP) to send itself via email, and it is currently spreading in-the-wild. It affects systems running Windows 95, 98, ME, NT, 2000, and XP.

    Upon execution, this memory-resident worm checks the current computer system date. It terminates if the system date is January 28, 2004 or later.

    It drops a copy of itself in the Windows system folder using the file name BBEAGLE.EXE. It then creates two registry entries that allow it to run at every Windows startup.

    This malware uses SMTP in order to perform its mailing routine. To propagate via email, it searches for and acquires email addresses from files with the following extensions:

    WAB
    TXT
    HTM
    HTML

    It avoids email addresses that contain the following strings:

    .r1
    @hotmail.com
    @msn.com
    @microsoft
    @avp

    It sends email to the obtained addresses and takes from the same pool to spoof or forge the sender addresses (as shown on the FROM field of its messages). It spawns a thread to send out an email for each recipient address.

    The email it sends contains the following details:

    Subject: Hi
    Message Body: Test =)
    Bqkqcjenbjycliy
    --
    Test, yep.
    Attachment: ltdm.exe

    The attachment name and the text strings after "Test=)" are randomly generated characters. The email address that appears in the FROM field is also not authentic, but is a randomly chosen email address obtained from the infected machine.

    If this worm's file name is not %System%\BBEAGLE.EXE, it executes CALC.EXE (Windows Calculator program). While running in the background, it proceeds with its malicious activities. If the user terminates the Windows Calculator application, this worm still executes, as it is actually a separate program. If it runs CALC.EXE directly, this worm fails to activate.

    WORM_BAGLE.A also opens and listens to port 6777 on the infected machine to receive remote commands. It allows a malicious user to take control of the infected system, compromising network and local security.

    If you would like to scan your computer for WORM_BAGLE.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

    WORM_BAGLE.A is detected and cleaned by Trend Micro pattern file #729 and above.
     
Loading...
Thread Status:
Not open for further replies.