This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Manual disinfection of Bagle consists of the following steps:
- Delete the registry value [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe]
- and restart the computer
- Terminate the running 'bbeagle.exe' process with Task Manager
- Then delete the worm's executable file from the Windows System Directory (%SysDir%\bbeagle.exe).
F-Secure can confirm that the remote removal method found by Joe Stewart of Lurhq does indeed work ( please note that the usage of this method against someone else's computers may be legally questionable).
Sending a specific byte sequence to port 6777 on the infected computers causes the worm to delete itself from the System Directory and terminate its process. The registry values are not removed but since the file does not exist Windows will ignore those.
The byte sequence to be sent:
- 0x43 0xff 0xff 0xff 0x00 0x00 0x00 0x00 0x04 0x31 0x32 0x00
Email-Worm:W32/Bagle is a very large family of worms that generally distribute themselves in infected e-mail file attachments. Once executed, the worm installs a backdoor on the infected machine, then propagates itself.
Bagle has been programmed to stop spreading on 28th of January. Due to the large number of variants in the family, many later variants have significant differences from the earlier variants. The details below apply to the Bagle.A variant.
Bagle was first discovered on 18th of January, 2004.
Upon execution Bagle copies itself to the Windows System Directory with the filename 'bbeagle.exe'. This file is added to the registry as
to ensure that the worm will be activated when Windows starts.
To indicate whether the worm was run for the first time it creates another value in the registry as
When started the first time the worm starts the Windows Calculator (calc.exe) to conceal its presence.
Bagle recursively searches all drives on the infected computer to locate Windows Address Book (WAB) files, text and HTML. It parses these files and collects all email addresses it can find.
Files with the following extensions are checked:
Using its own SMTP engine Bagle sends messages with infected attachments to the collected addresses. The SMTP engine uses direct Mail eXchange (MX) lookup on the target domain so it does not depend on email settings of the infected computer.
The emails Bagle sends have the following characteristics:
- Subject: Hi
- Body:Test =) -- Test, yep.
- Attachment: [random characters].exe
The mailer routine will ignore all the addresses that contain the any of these strings:
Bagel contains a backdoor that listens on a TCP port 6777 which is hardcoded in the worm's body. This backdoor component provides remote access to the infected computer. It can be used to download and execute arbitrary programs from the Internet.
When the worm is started it connects to a list of predefined web servers and tries to access a PHP file with certain parameters. One of the parameters is the TCP port where the backdoor is listening which suggests that this functionality is used to collect the addresses of infected computers. Bagle has reportedly tried to download the Mitglieder trojan to some infected computers.
The following picture briefly shows the structure of the Bagle worm, which can be appreciated in full detail in the PDF graph available from http://www.f-secure.com/virus-info/v-pics/bagle-a.pdf.
The following table shows the country distribution of the infections. On each column the number indicates the percentage over the total number of infected machines, and the 2 letter code indicates the country or geographical area where the infected computers have been located.
- 15.30% CN 1.03% CZ
- 12.53% KR 1.00% NO
- 11.39% US 0.93% IL
- 11.06% AU 0.91% CA
- 5.97% DE 0.87% PL
- 5.19% FR 0.79% -- (Unknown location)
- 3.33% JP 0.71% SE
- 3.01% HK 0.66% ID
- 2.35% GB 0.59% LT
- 2.14% EU 0.56% RU
- 2.08% IN 0.56% CH
- 1.92% TW 0.54% AT
- 1.90% DK 0.48% NZ
- 1.69% MY 0.45% PH
- 1.37% ES 0.44% BR
- 1.20% TH 0.44% FI
- 1.15% TR 0.40% SG
- 1.05% IT 0.35% BE
Note 1: The table only displays the first 36 entries.
Note 2: The data used when creating the table only contains infected computers up to the 19th of January, 2004 at 17:26 GMT+1 The following graph shows the increase in activity created by the worm from 19th of January at 00:00 (GMT+1) up to the same day at 17:15 (GMT+1). The red line indicates the total number of hits received by a given web server. The green line shows the increase in number of infected machines, starting from around 300 and growing near 80.000 unique machines by the end of the monitoring period shown in the graph.