Trend Alert: WORM_BAGLE.BE

Trend Micro Medium Risk Virus Alert - WORM_BAGLE.BE

As of March 1, 2005, 3:43 AM (GMT - 08:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BAGLE.BE. TrendLabs has received numerous infection reports indicating that this malware is spreading in New Zealand and Australia.

Initial analysis shows that this worm drops a copy of itself as WINDLHHL.EXE in the Windows system folder upon execution. It then mass-mails copies of TROJ_BAGLE.BE, which is resposible for downloading WORM_BAGLE.BE. The email that it sends out has the following details:

Subject: <blank>
Message Body: price
Attachment: <.ZIP copy of the TROJ_BAGLE.BE>

TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 153
Official Pattern Release 2.456.00
Damage Cleanup Template 544

For more information on WORM_BAGLE.BE, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.BE

 

Symantec: W32.Beagle.BH@mm

Symantec Security Response - W32.Beagle.BH@mm

W32.Beagle.BH@mm is a mass-worm that uses its own SMTP engine to send out copies of Trojan.Tosoo.B. Trojan.Tosoo.B then downloads W32.Beagle.BH@mm on to the compromised computer.

The worm also opens a back door on TCP port 80 and UDP port 80.

The worm is packed with PeX.

Technical Details: http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.bh@mm.html#technicaldetails

 

Links to above and other vendors:

TrendMicro: WORM_BAGLE.BE
Symantec: W32.Beagle.BH@mm
McAfee: W32/Bagle.bn@MM
Computer Associates: Win32.Bagle.BA
Panda: Bagle.BN
F-Secure: Bagle.BE
BitDefender: Win32.Bagle.BD - BG @mm

 

Trend-NewsLetter: Worm Befriends Trojan - WORM_BAGLE.BE

On March 1, Trend Micro declared a Medium Risk alert for WORM_BAGLE.BE. This non-destructive worm propagates by email, using addresses gathered from the Windows Address Book. It employs another malware, TROJ_BAGLE.BE, to create a worm-Trojan propagation cycle where the worm mass-mails copies of the Trojan. The Trojan, in turn, downloads copies of the worm from a long list of predefined Web sites. TROJ_BAGLE.BE carries malicious routines different from those exhibited by WORM_BAGLE.BE. In addition to downloading copies of its worm counterpart, this Trojan terminates several antivirus and security-related processes. It also prevents the user from accessing antivirus Web sites. The worm infects computers running Windows 98, ME, NT, 2000, and XP.

This mass-mailing worm arrives in a system as a downloaded file of TROJ_BAGLE.BE. Upon execution, it drops a copy of itself in the Windows system folder as the file WINDLHHL.EXE. It creates several registry entries keys that enable it to automatically execute at every system startup.

The worm propagates by mass-mailing copies of TROJ_BAGLE.BE whhich, in turn, attempts to download a copy of this worm from several Web sites. It gathers recipients email addresses from the contacts found in the Windows Address Book. It also attempts to download the file EML.EXE into the Windows folder. This file contains a list of recipients to send email to, but the contents of the file may change at any time. It attempts to download this file every 100 milliseconds until it succeeds.

The worm attempts to contact to a Simple Mail Transfer Protocol (SMTP) server to send emails. If it is unable to contact this server, it uses its own SMTP engine. It may also obtain the affected system’s Mail Exchanger (MX) server for its mass-mailing routine. If the Mail Exchanger server is not available, it uses the server 217.5.97.137.

The email message it sends out contains the following details:

Subject: <Blank>

Message body: (any of the following)
price
new price

Attachment: (any of the following)
08_price.zip
new__price.zip
new_price.zip
newprice.zip
price_08.zip
price_new.zip
price2.zip

Note that the attached file is a .ZIP copy of TROJ_BAGLE.BE. It contains a file named DOC_<decimal number>.EXE. Since the worm gathers email addresses from the Windows Address book (WAB), the sender indicated in the From: field may be familiar.

This worm also as a backdoor component that opens and listens to TCP port 80, and sets the infected system up to act as a Web server. It may allow a malicious user to take control of an infected system by logging on using a pre-set password, and may allow remote users to upload a file onto the Web server. It then attempts to download the file from the Web server (which is actually the infected machine, since it is set up as a Web server), using a specific URL. It saves the downloaded file into the Windows system folder as RE_FILE.EXE. After downloading, it then executes the file.

This worm attempts to remove the following registry entries from the key:

* 9XHtProtect
* Antivirus
* EasyAV
* FirewallSvr
* HtProtect
* ICQ Net
* ICQNet
* Jammer2nd
* KasperskyAVEng
* MsInfo
* My AV
* NetDy
* Norton Antivirus AV
* PandaAVEngine
* SkynetsRevenge
* Special Firewall Service
* SysMonXP
* Tiny AV
* Zone Labs Client Ex
* service

If you would like to scan your computer for WORM_BAGLE.BE or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_BAGLE.BE is detected and cleaned by Trend Micro pattern file #2.460.00 and above.