W32/Bagle.A@mm rapidly gains momentum.

19 January 2004

W32/Bagle.A@mm is a mass-mailing worm that also behaves like a trojan downloader in its attempts to access remote websites. This is a time-restricted worm and will not execute if the system date has passed the 27th of January 2004.

Bagle.A harvests e-mail addresses from the infected machine's hard drive in order to spread itself further. The worm uses its own SMTP engine to send out e-mails to these harvested addresses and fakes the [From:] address by using another of these harvested addresses. This means that these e-mails can appear to be sent by someone the recipient knows. The subject of these e-mails is normally "Hi", the attachment's name is generated with random characters and the attachment's icon is identical to that of Windows Calculator.

The e-mails sent by Bagle.A are all very similar in structure:

[From:] Forged address
[Subject:] Hi
[Body:]
Test =)
(random character string)
--
Test, yep.
[Attachment] random_name.exe

When first executed the worm runs Windows Calculator to disguise itself while copying itself to the Windows system directory as bbeagle.exe and creating a registry key that enables it to load automatically when the system is started up. If the infected system is connected to the Internet, W32/Bagle.A@mm listens for remote connections and attempts to download and execute a trojan from URL's listed within the worm's body.

For more information on this worm and disinfection please visit our virus information section.

Recommended Reactions

Users are advised to update their virus signature files and make sure they have the latest versions of F-Prot Antivirus installed on their computers.

After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.

For more information on this worm and disinfection please visit our virus information section.

Threat Detection

The latest versions of F-Prot Antivirus detect W32/Bagle.A@mm using virus signature files dated 19 January 2004 or later.

Commtouch® is a leading developer of anti virus software and anti spam filtering services. Commtouch's anti virus computer software, F-PROT Antivirus, is available for a number of operating systems such as Windows, Linux, BSD, Solaris, and AIX as well as the Microsoft Exchange groupware.

1993-2013 © CYREN