FRISK Software International


Summary of W32/Bagle.A@mm
Alias:W32.Beagle.A@mm, I-Worm.Bagle, WORM_BAGLE.A
Length: 15.872 bytes
Discovered: 18 Jan 2004
Definition files: 19 Jan 2004
Risk Level: Low
Distribution:Low
Infection Method:Infected e-mail attachments
Payload: Mass-mailing functionality, attempts to download and execute a trojan from remote addresses
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
The W32/Bagle.A@mm is a mass-mailing worm, along with acting as a trojan downloader. The worm will not execute if the system date has passed the 27th of January 2004.

The worm will create the following registry keys:

[HKEY_USERS\{current_user_ID}\Software\Windows98]
["frun"=dword:00000001]
["uid"="randomly generated value"] this value is used later on for the trojan download payload.

It will also create RUN value under the current user ID:

[HKEY_USERS\{current_user_id}\Software\Microsoft\Windows\CurrentVersion\Run]
"d3dupdate.exe"="%system_dir%\bbeagle.exe"

The worm will copy itself to the system directory under the name of "bbeagle.exe". It will attempt to identify and harvest e-mail addresses from all fixed drives on the system, by searching for files with the following extensions: .wab, .txt, .htm, .html. For each e-mail address found, the worm will send an infected e-mail to that address, forging the [From:] part of the e-mail using another e-mail harvested from the system. The worm will avoid sending out infected e-mails to the following addresses (where * is a wildcard): *@hotmail.com, *@msn.com, *@microsoft, *@avp.

The e-mails sent by the W32/Bagle.A@mm are similar in structure:

[From:] Forged address
[Subject:] Hi
[Body:]
Test =)
(random character string)
--
Test, yep.
[Attachment] random_name.exe
The attachment will have an icon identical to that of "Windows calculator".


The worm will attempt to download and execute a trojan from pre-defined URL's listed within the worms body.


Technical Description
The W32/Bagle.A@mm is a mass-mailing worm, along with acting as a trojan downloader. The first routine that the worm carries out is to retrieve the system date on the computer. Within the worms body, there is a value which translates to the date 28.01.2004. The worm compares the current date on the system to that date, if the date is 28th of january or later, the worm will exit without any further actions.

If the date is prior to that mentioned above the worm continues its execution, delivering the registry payload. It creates the following registry key under the current user ID on the infected system:

[HKEY_USERS\{current_user_ID}\Software\Windows98]
["frun"=dword:00000001]
["uid"="randomly generated value"] this value is used later on for the trojan download payload.

It will also create RUN value under the current user ID:

[HKEY_USERS\{current_user_id}\Software\Microsoft\Windows\CurrentVersion\Run]
"d3dupdate.exe"="%system_dir%\bbeagle.exe"

The worm will check whether it was executed from the system directory. If not, the worm will copy itself to the system directory under the name of "bbeagle.exe". This file is identical to the original executable, this file has the same icon as "Windows Calculator". When executed for the first time, the worm will execute a copy of the "Windows calculator".

The W32/Bagle.A@mm will then proceed to set up multi-threaded environment for its execution. When running it will create three threads. Each with its individual purpose. The main thread will continue to search all fixed drives on the infected machine for files that have any of the following extensions: .wab, .txt, .htm, .html. It will search the files found for e-mail addresses based on certain character and character sequences coded within the worms body.
Once this routine completes, the worm will retrieve the SMTP server that the infected system is using, either by retrieving it directly from a local system entry or by issuing a DNS request, requesting an MX (mail pointer) record for the current domain that the system is registered on. Using a built-in SMTP routine, the W32/Bagle.A@mm will initiate and carry out the e-mail spreading routine.
Using its own SMTP routine, the worm is able to fake the [From:] address, usually the worm will fake the [From:] address using any of the harvested e-mail addresses on the system. The e-mails sent out by the W32/Bagle.A@mm are very similar, the worm however injects a random character string into the e-mail, as well as generating a semi-random name for the attachement. Typical e-mail sent out by the W32/Bagle.A@mm is the following:

[From:] Forged address
[Subject:] Hi
[Body:]
Test =)
(random character string)
--
Test, yep.
[Attachment] random_name.exe
The attachment will have an icon identical to that of "Windows calculator".


The worm will avoid sending infected e-mails to addresses with the following names, *@hotmail.com, *@msn.com, *@microsoft, *@avp.

The second thread, will initialize and open a TCP socket in listening mode on port 6777. The download of the trojan malware goes through this socket.

The third thread will start by retrieving the system date. If this date has passed beyond the 27th of January it will write out a simple bat script and execute it, this bat script will delete the worm from the system directory, after which the process is terminated.
The worm has 36 built-in internet addresses, which it will attempt to contact and download the trojan from. The connections are done in an identical manner, first the worm checks for the presence of an internet connection, if this is present it will attempt to connect to each of the sites listed with the following parameters:

[HTTP connection]
HTTP GET REQUEST
GET /1.php?p=6777&id=[uid value, same value as used in the registry key]
User-Agent: beagle_beagle


The list of url's hardcoded within the worms body are the following:
http://www.elrasshop.de/1.php http://www.it-msc.de/1.php http://www.getyourfree.net/1.php
http://www.dmdesign.de/1.php http://64.176.228.13/1.php http://www.leonzernitsky.com/1.php
http://216.98.136.248/1.php http://216.98.134.247/1.php http://www.cdromca.com/1.php
http://www.kunst-in-templin.de/1.php http://vipweb.ru/1.php http://antol-co.ru/1.php
http://www.bags-dostavka.mags.ru/1.php http://www.5x12.ru/1.php http://bose-audio.net/1.php
http://www.sttngdata.de/1.php http://wh9.tu-dresden.de/1.php http://www.micronuke.net/1.php
http://www.stadthagen.org/1.php http://www.beasty-cars.de/1.php http://www.polohexe.de/1.php
http://www.bino88.de/1.php http://www.grefrathpaenz.de/1.php http://www.bhamidy.de/1.php
http://www.mystic-vws.de/1.php http://www.auto-hobby-essen.de/1.php http://www.polozicke.de/1.php
http://www.twr-music.de/1.php http://www.sc-erbendorf.de/1.php http://www.montania.de/1.php
http://www.medi-martin.de/1.php http://vvcgn.de/1.php http://www.ballonfoto.com/1.php
http://www.marder-gmbh.de/1.php http://www.dvd-filme.com/1.php http://www.smeangol.com/1.php

If the trojan is successfully downloaded, it will execute it.


Removal Instructions
To remove the W32/Bagle.A@mm from your system, the following steps are recommended:

1. Make sure you have the latest version of F-Prot Antivirus.
2. Update your virus signature files.
3. Scan your computer with the OnDemand Scanner.

Before you scan make sure that the OnDemand Scanner is set to "Disinfect". Run F-Prot Antivirus and allow it to remove the infection.

Manual disinfection:

Locate the infected file that resides in the system directory folder, under the name of "bbeagle.exe". This is the file pointed to in the value of the "run"-key in the registry that W32/Bagle.A@mm creates.

Manual registry cleanup:

Locate the following values from the registry:

[HKEY_USERS\{current_user_ID}\Software\Windows98]

This key should contain two values, "frun" and "uid". This key should be deleted.

[HKEY_USERS\{current_user_id}\Software\Microsoft\Windows\CurrentVersion\Run]

"d3dupdate.exe"="%system_dir%\bbeagle.exe", this value should be deleted.

Analysis / Description: Sindri Bjarnason - Virus researcher FRISK Software International
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is