F-Secure is downgrading the alert level on Bagle worm since it reached
its deadline.
The worm was programmed to stop spreading after January 28th, 2004.
Update on January 19th, 2004
F-Secure is upgrading the Bagle worm to Level 1, as it keeps
spreading aggressively.
Summary
Bagle is a mass-mailing worm that was found on 18th of January, 2004.
The worm sends messages with the subject 'Hi' and random EXE attachment
names. The worm installs a backdoor to infected machines. Bagle has
been programmed to stop spreading on 28th of January.
Disinfection
Special Disinfection Tool
F-Secure has developed a special disinfection tool for this worm.
The tool will detect and remove an active Bagle infection from
the computer.
The Bagle removal tool can be downloaded in a ZIP file from:
System administrators who are using F-Secure Policy Manager, can
distribute the F-BAGLE tool as a JAR package automatically to all
workstations. The package can be downloaded from:
to ensure that the worm will be activated when Windows starts.
To indicate whether the worm was run for the first time it creates
another value in the registry as
[HKCU\Software\Windows98\frun]
When started the first time the worm starts the Windows Calculator
(calc.exe) to conceal its presence.
Email Propagation
Bagle recursively searches all drives on the infected computer to
locate Windows Address Book (WAB) files, text and HTML. It parses
these files and collects all email addresses it can find.
Files with the following extensions are checked:
.WAB
.TXT
.HTM
.HTML
Using its own SMTP engine Bagle sends messages with infected
attachments to the collected addresses. The SMTP engine uses direct
Mail eXchange (MX) lookup on the target domain so it does not depend on
email settings of the infected computer.
The emails Bagle sends have the following characteristics:
Subject: Hi
Body: Test =)
<random characters>
--
Test, yep.
Attachment: <random characters>.exe
The mailer routine will ignore all the addresses that contain the
any of these strings:
.r1
@hotmail.com
@msn.com
@microsoft
@avp.
Payload
Bagel contains a backdoor that listens on a TCP port 6777 which is
hardcoded in the worm's body. This backdoor component provides
remote access to the infected computer. It can be used to download
and execute arbitrary programs from the Internet.
When the worm is started it connects to a list of predefined web
servers and tries to access a PHP file with certain parameters.
One of the parameters is the TCP port where the backdoor is listening
which suggests that this functionality is used to collect the
addresses of infected computers.
Bagle has reportedly tried to download the Mitglieder trojan to
some infected computers.
More information on Mitglieder trojan is available here:
F-Secure can confirm that the remote removal method found by Joe
Stewart of Lurhq does indeed work.
Sending a specific byte sequence to port 6777 on the infected
computers causes the worm to delete itself from the System Directory and
terminate its process. The registry values are not removed but
since the file does not exist Windows will ignore those.
The following table shows the country distribution of the
infections. On each column the number indicates the percentage over the total
number of infected machines, and the 2 letter code indicates the country or
geographical area where the infected computers have been located.
15.30% CN 1.03% CZ
12.53% KR 1.00% NO
11.39% US 0.93% IL
11.06% AU 0.91% CA
5.97% DE 0.87% PL
5.19% FR 0.79% -- (Unknown location)
3.33% JP 0.71% SE
3.01% HK 0.66% ID
2.35% GB 0.59% LT
2.14% EU 0.56% RU
2.08% IN 0.56% CH
1.92% TW 0.54% AT
1.90% DK 0.48% NZ
1.69% MY 0.45% PH
1.37% ES 0.44% BR
1.20% TH 0.44% FI
1.15% TR 0.40% SG
1.05% IT 0.35% BE
Note 1: The table only displays the first 36 entries.
Note 2: The data used when creating the table only contains
infected computers up to the 19th of January, 2004 at 17:26 GMT+1
The following graph shows the increase in activity created by the worm from
19th of January at 00:00 (GMT+1) up to the same day at 17:15 (GMT+1). The red
line indicates the total number of hits received by a given web server. The
green line shows the increase in number of infected machines, starting from
around 300 and growing near 80.000 unique machines by the end of the
monitoring period shown in the graph.
