Threat Description

Email-Worm:​W32/Bagle

Details

Aliases: Email-Worm:​W32/Bagle
Category: Malware
Type: Email-Worm
Platform: W32

Summary



This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Manual Disinfection

Manual disinfection of Bagle consists of the following steps:

  • Delete the registry value [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe]
  • and restart the computer

OR

  • Terminate the running 'bbeagle.exe' process with Task Manager
  • Then delete the worm's executable file from the Windows System Directory (%SysDir%\bbeagle.exe).

Remote Removal

F-Secure can confirm that the remote removal method found by Joe Stewart of Lurhq does indeed work ( please note that the usage of this method against someone else's computers may be legally questionable).

Sending a specific byte sequence to port 6777 on the infected computers causes the worm to delete itself from the System Directory and terminate its process. The registry values are not removed but since the file does not exist Windows will ignore those.

The byte sequence to be sent:

  • 0x43 0xff 0xff 0xff 0x00 0x00 0x00 0x00 0x04 0x31 0x32 0x00


Technical Details



Email-Worm:W32/Bagle is a very large family of worms that generally distribute themselves in infected e-mail file attachments. Once executed, the worm installs a backdoor on the infected machine, then propagates itself.

Bagle has been programmed to stop spreading on 28th of January. Due to the large number of variants in the family, many later variants have significant differences from the earlier variants. The details below apply to the Bagle.A variant.

Bagle was first discovered on 18th of January, 2004.

Installation

Upon execution Bagle copies itself to the Windows System Directory with the filename 'bbeagle.exe'. This file is added to the registry as

  • [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe]

to ensure that the worm will be activated when Windows starts.

To indicate whether the worm was run for the first time it creates another value in the registry as

  • [HKCU\Software\Windows98\frun]

When started the first time the worm starts the Windows Calculator (calc.exe) to conceal its presence.

Propagation

Bagle recursively searches all drives on the infected computer to locate Windows Address Book (WAB) files, text and HTML. It parses these files and collects all email addresses it can find.

Files with the following extensions are checked:

  • .WAB
  • .TXT
  • .HTM
  • .HTML

Using its own SMTP engine Bagle sends messages with infected attachments to the collected addresses. The SMTP engine uses direct Mail eXchange (MX) lookup on the target domain so it does not depend on email settings of the infected computer.

The emails Bagle sends have the following characteristics:

  • Subject: Hi
  • Body: Test =) -- Test, yep.
  • Attachment: [random characters].exe

The mailer routine will ignore all the addresses that contain the any of these strings:

  • .r1
  • @hotmail.com
  • @msn.com
  • @microsoft
  • @avp.

Payload

Bagel contains a backdoor that listens on a TCP port 6777 which is hardcoded in the worm's body. This backdoor component provides remote access to the infected computer. It can be used to download and execute arbitrary programs from the Internet.

When the worm is started it connects to a list of predefined web servers and tries to access a PHP file with certain parameters. One of the parameters is the TCP port where the backdoor is listening which suggests that this functionality is used to collect the addresses of infected computers. Bagle has reportedly tried to download the Mitglieder trojan to some infected computers.

Notes

The following picture briefly shows the structure of the Bagle worm, which can be appreciated in full detail in the PDF graph available from http://www.f-secure.com/virus-info/v-pics/bagle-a.pdf.

Spreading Statistics

The following table shows the country distribution of the infections. On each column the number indicates the percentage over the total number of infected machines, and the 2 letter code indicates the country or geographical area where the infected computers have been located.

  • 15.30% CN 1.03% CZ
  • 12.53% KR 1.00% NO
  • 11.39% US 0.93% IL
  • 11.06% AU 0.91% CA
  • 5.97% DE 0.87% PL
  • 5.19% FR 0.79% -- (Unknown location)
  • 3.33% JP 0.71% SE
  • 3.01% HK 0.66% ID
  • 2.35% GB 0.59% LT
  • 2.14% EU 0.56% RU
  • 2.08% IN 0.56% CH
  • 1.92% TW 0.54% AT
  • 1.90% DK 0.48% NZ
  • 1.69% MY 0.45% PH
  • 1.37% ES 0.44% BR
  • 1.20% TH 0.44% FI
  • 1.15% TR 0.40% SG
  • 1.05% IT 0.35% BE

Note 1: The table only displays the first 36 entries.

Note 2: The data used when creating the table only contains infected computers up to the 19th of January, 2004 at 17:26 GMT+1 The following graph shows the increase in activity created by the worm from 19th of January at 00:00 (GMT+1) up to the same day at 17:15 (GMT+1). The red line indicates the total number of hits received by a given web server. The green line shows the increase in number of infected machines, starting from around 300 and growing near 80.000 unique machines by the end of the monitoring period shown in the graph.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More