New Bagle worm spreading rapidly

Helsinki, Finland - February 17, 2004

F-Secure is warning computer users about the Bagle.B email worm, which is a new variant of Bagle.A. Bagle.A (also known as Beagle) is a Windows email worm that was first discovered on January 18th, 2004, and became globally widespread in just 24 hours. From a technical point of view Bagle.B is quite simple. However, it is spreading rapidly most likely because of its rather innocent-looking mail message, that seems like it would contain an audio file. Another reason for the rapid replication is that the worm was initially mailed to a large number of users in the same way as spam messages. Bagle.B was therefore raised to Radar level 1 alert, which is the highest alert level. This is already the 3rd Radar Level 1 alert in a month, the two previous ones being Bagle.A and Mydoom.A.

The Bagle.B worm contains a backdoor that listens on TCP port 8866. Through this backdoor the worm author can connect to infected machines and execute arbitrary programs on them.

"At this moment it is hard to estimate how much damage this worm will cause", says Mikael Albrecht, the Product Manager at F-Secure. "The backdoor that the worm contains can be very dangerous. It enables the virus author to inject malicious code at a later time. This kind of technique can for example be used to plant spam-rely agents in infected computers", he continues.

Bagle.B spreads via email messages, but unlike the messages sent by its predecessor, these emails have random subjects and attachment names. The mail containing Bagle.B looks like this:

Subject: ID (random characters)... thanks

Body: Yours ID (random characters)
--
Thank

Attachment: (random characters).exe

To fool the user the worm executable has an icon representing an audio file. When the user clicks on this EXE attachment, the worm will spread further. After this the worm runs the Windows Sound Recorder application.

The worm will collect email addresses aggressively from files in the infected computer. It will search through text- and HTML-files as well as the address book, and send a copy of itself to each address - except to addresses in domains belonging to Microsoft, MSN, Hotmail and AVP. The worm is programmed to expire on February 25th, 2004. After this date the worm will stop spreading. This is based on the local system date of the infected machine, so the worm will continue to propagate from machines that have their date set wrong. This feature is similar to the one seen in the Sobig virus family. Sobig authors used the expiration date to remove outdated versions from the market in order to release new and improved versions of the worm.

Detailed technical description of the worm as well as screenshots are available in the F-Secure Virus Description Database at http://www.f-secure.com/v-descs/bagle_b.shtml

F-Secure Anti-Virus can detect and remove the Bagle.B worm. F-Secure Anti-Virus can be downloaded from http://www.f-secure.com.

F-Secure has also released a free disinfection tool, which can be used to remove Bagle.B from infected systems.

About F-Secure

F-Secure Corporation protects individuals and businesses against computer viruses and other threats coming through the Internet or mobile networks. Our award-winning solutions include antivirus, desktop firewall with intrusion prevention and network encryption. Our key strength is the speed of response to new threats and for businesses our solutions feature centralized management. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since 1999. We have our headquarters in Helsinki, Finland, and offices in USA, France, Germany, Sweden, the United Kingdom and Japan. F-Secure is supported by a global ecosystem of value added resellers and distributors in over 50 countries. F-Secure protection is also available through major Internet Service Providers, such as Deutsche Telekom and leading mobile equipment manufacturers, such as Nokia.

For more information, please contact:

Media contact in the USA:
F-Secure Inc.
Heather Deem,
675 N. First Street, 5th Floor
San Jose, CA 95112
Tel +1 408 350 2178
Fax +1 408 938 6701
Email: heather.deem@f-secure.com

Finland:
F-Secure Corporation
Mikael Albrecht
PL 24
FIN-00181 Helsinki
Tel +358 9 2520 5640
Fax. +358 9 2520 5001
Email: mikael.albrecht@f-secure.com