F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Bagle.B

[Summary] | [Disinfection] | [Detailed Description] | [Detection]

THIS VIRUS IS RANKED AS LEVEL 1 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 1

NAME:Bagle.B
ALIAS:I-Worm.Bagle.B, WORM_BAGLE.B, W32.Beagle.B@mm, W32/Tanx.A, W32/Yourid.A, W32.Alua@mm, Win32.HLLM.Strato
SIZE:11264

Update on February 28th, 2004

F-Secure is downgrading the alert level on Bagle worm since it reached its deadline.

The worm was programmed to stop spreading after January 25th, 2004.

Update on February 17th, 2004

F-Secure is upgrading Bagle.B worm to Level 1, as it keeps spreading rapidly. It arrives in email with random subject and attachment name with an EXE extension. The worm installs a backdoor that listens on port 8866.

Bagle.B worm has been programmed to stop spreading on February 25th.

Summary

Found on 17th of February 2004, Bagle.B is a variant of the successful Bagle. As its predecessor it is mass-mailing worm. The worm sends messages with the subject 'ID [random string]... thanks' and random EXE attachment names. It also installs a backdoor. Bagle has been programmed to stop spreading on 25th of February.

Disinfection

Special Disinfection Tool

F-Secure has developed a special disinfection tool for this worm. The tool will detect and remove an active Bagle infection from the computer.

The Bagle removal tool can be downloaded in a ZIP file from:

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip

http://www.f-secure.com/tools/f-bagle.zip

The unpacked version is available from:

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt

http://www.f-secure.com/tools/f-bagle.exe

http://www.f-secure.com/tools/f-bagle.txt

System administrators who are using F-Secure Policy Manager, can distribute the F-BAGLE tool as a JAR package automatically to all workstations. The package can be downloaded from:

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.jar

http://www.f-secure.com/tools/f-bagle.jar

Manual Disinfection

Manual disinfection of Bagle consists of the following steps:

1, Delete the registry value and restart the computer: 

 [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\au.exe]

or

terminate the running 'au.exe' process with Task Manager

2, Delete the worm from the Windows System Directory: 

 %SysDir%\au.exe


Back to the Top


Detailed Description

The worm executable has an icon representing an audio file.

And once run the worm will launch the Windows "Sound Recorder", executing the Windows application "sndrec32.exe".

System Infection

The worm copies itself to: 

 %sysdir%\au.exe

and modifies the registry to point to it: 

 [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
 "au.exe" = %sysdir%\au.exe

Where %sysdir% is the Windows System folder.

The following keys will also be used by the worm: 

 [HKCU\SOFTWARE\Windows2000\gid]


 [HKCU\SOFTWARE\Windows2000\frn]

The worm will access four different URLs contained within its body. They are located on three different web sites: 

 www.47df.de
 www.strato.de
 intern.games-ring.de

The target of the URLs are PHP files, to which the worm will post information about the infected host, namely the port where the backdoor is listening and a randomly generated ID. Some of those hosts are already unavailable.

The worm will attempt to contact all of those URLs every 166 minutes, checking in every iteration whether its internal deadline has been reached.

Email Propagation

The worm will send e-mails with the following characteristics:

Subject line is: 

 Subject: ID <random characters>... thanks

The body of the message will have the following format: 

 Yours ID <random characters>
 --
 Thank

The attachment name will be: 

 <random characters>.exe

It will harvest addresses from files with the extensions: 

 .html
 .htm
 .wab
 .txt

It will avoid sending mail to addresses containing any of the following text strings: 

 .r1u
 @hotmail.com
 @msn.com
 @microsoft
 @avp.

Payload

This variant also contains a backdoor that will listen on port 8866. It provides access to the computer where the worm is running, where it allows to download and run any executable sent to the backdoor with a given format.


Back to the Top


Detection

F-Secure Anti-Virus detects Bagle.B worm with the update published on February 17th, 2004

[FSAV_Database_Version]

Version=2004-02-17_02


Back to the Top


Description: Katrin Tocheva, February 17th, 2004;

Technical Details: Ero Carrera, February 17th, 2004;

F-Secure Corporation