Email-Worm:W32/Bagle

Classification

Category :

Malware

Type :

Email-Worm

Aliases :

I-Worm.Bagle, W32.Beagle.A@mm, WORM_BAGLE.A, I-Worm.Bagle.gen

Summary

This type of worm is embedded in an email attachment, and spreads using the infected computer's emailing networks.

Removal

Special Disinfection Tool

F-Secure has developed a special disinfection tool for this worm. The tool will detect and remove an active Bagle infection from the computer.

The Bagle removal tool can be downloaded in a ZIP file from:

  • https://www.f-secure.com/tools/f-bagle.zip
  • ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip

The unpacked version is available from:

  • https://www.f-secure.com/tools/f-bagle.exe
  • ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe
  • https://www.f-secure.com/tools/f-bagle.txt
  • ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt

System administrators who are using F-Secure Policy Manager, can distribute the F-BAGLE tool as a JAR package automatically to all workstations. The package can be downloaded from:

  • ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.jar

Manual Disinfection

Manual disinfection of Bagle consists of the following steps:

  • Delete the registry value [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe] and restart the computer

OR

  • Terminate the running 'bbeagle.exe' process with Task Manager
  • Then delete the worm's executable file from the Windows System Directory (%SysDir%\bbeagle.exe).

Remote Removal

F-Secure can confirm that the remote removal method found by Joe Stewart of Lurhq does indeed work. Please note that the usage of this method agains someone else's computers may be legally questionable.

Sending a specific byte sequence to port 6777 on the infected computers causes the worm to delete itself from the System Directory and terminate its process. The registry values are not removed but since the file does not exist Windows will ignore those.

The byte sequence to be sent:

0x43 0xff 0xff 0xff 0x00 0x00 0x00 0x00 0x04 0x31 0x32 0x00

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Email-Worm:W32/Bagle is a very large family of worms that generally distribute themselves in infected email file attachments. Once executed, the worm installs a backdoor on the infected machine, then propagates itself.

Bagle has been programmed to stop spreading on 28th of January. Due to the large number of variants in the family, many later variants have significant differences from the earlier variants. The details below apply to the Bagle.A variant.

Bagle was first discovered on 18th of January, 2004.

Installation

Upon execution Bagle copies itself to the Windows System Directory with the filename 'bbeagle.exe'. This file is added to the registry as

  • [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe]

to ensure that the worm will be activated when Windows starts.

To indicate whether the worm was run for the first time it creates another value in the registry as

  • [HKCU\Software\Windows98\frun]

When started the first time the worm starts the Windows Calculator (calc.exe) to conceal its presence.

Propagation

Bagle recursively searches all drives on the infected computer to locate Windows Address Book (WAB) files, text and HTML. It parses these files and collects all email addresses it can find.

Files with the following extensions are checked:

  • .WAB
  • .TXT
  • .HTM
  • .HTML

Using its own SMTP engine Bagle sends messages with infected attachments to the collected addresses. The SMTP engine uses direct Mail eXchange (MX) lookup on the target domain so it does not depend on email settings of the infected computer.

The emails Bagle sends have the following characteristics:

  • Subject: Hi
  • Body: Test =) -- Test, yep.
  • Attachment: [random characters].exe

The mailer routine will ignore all the addresses that contain the any of these strings:

  • .r1
  • @hotmail.com
  • @msn.com
  • @microsoft
  • @avp.

Payload

Bagel contains a backdoor that listens on a TCP port 6777 which is hardcoded in the worm's body. This backdoor component provides remote access to the infected computer. It can be used to download and execute arbitrary programs from the Internet.

When the worm is started it connects to a list of predefined web servers and tries to access a PHP file with certain parameters. One of the parameters is the TCP port where the backdoor is listening which suggests that this functionality is used to collect the addresses of infected computers.

Bagle has reportedly tried to download the Mitglieder trojan to some infected computers.

Notes

The following picture briefly shows the structure of the Bagle worm, which can be appreciated in full detail in the PDF graph available from http://www.f-secure.com/v-pics/bagle-a.pdf.

Spreading Statistics

The following table shows the country distribution of the infections. On each column the number indicates the percentage over the total number of infected machines, and the 2 letter code indicates the country or geographical area where the infected computers have been located.

  • 15.30% CN 1.03% CZ
  • 12.53% KR 1.00% NO
  • 11.39% US 0.93% IL
  • 11.06% AU 0.91% CA
  • 5.97% DE 0.87% PL
  • 5.19% FR 0.79% -- (Unknown location)
  • 3.33% JP 0.71% SE
  • 3.01% HK 0.66% ID
  • 2.35% GB 0.59% LT
  • 2.14% EU 0.56% RU
  • 2.08% IN 0.56% CH
  • 1.92% TW 0.54% AT
  • 1.90% DK 0.48% NZ
  • 1.69% MY 0.45% PH
  • 1.37% ES 0.44% BR
  • 1.20% TH 0.44% FI
  • 1.15% TR 0.40% SG
  • 1.05% IT 0.35% BE

Note 1: The table only displays the first 36 entries. Note 2: The data used when creating the table only contains infected computers up to the 19th of January, 2004 at 17:26 GMT+1

The following graph shows the increase in activity created by the worm from 19th of January at 00:00 (GMT+1) up to the same day at 17:15 (GMT+1). The red line indicates the total number of hits received by a given web server. The green line shows the increase in number of infected machines, starting from around 300 and growing near 80.000 unique machines by the end of the monitoring period shown in the graph.