1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Email-Worm:W32/Bagle.B

Email-Worm:W32/Bagle.B

Name : Email-Worm:W32/Bagle.B
Category:Malware
Type:Email-Worm
Platform:W32

Summary

This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.

Disinfection

For removal instructions specific to Bagle infections, see Email-Worm:W32/Bagle.

For more general information on disinfection, please see Removal Instructions.

Additional Details

Email-Worm:W32/Bagle.B was first found on 17th of February 2004. Once installed, Bagle.B installs a backdoor on the infected machine and attempts to communicate details of the host to a remote site.

Bagle.B propagates using messages with the subject 'ID [random string]... thanks' and random EXE attachment names. The worm's executable file, which was attached to the messages, used an icon representing an audio file.



Fortunately, Bagle.B was programmed to stop spreading on 25th of February 2004.


Installation

On execution, the worm launchs the Windows "Sound Recorder", executing the Windows application "sndrec32.exe", as a decoy.



The worm copies itself to:

  •  %sysdir%\au.exe

and modifies the registry to point to it:

  •  [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
     "au.exe" = %sysdir%\au.exe

Where %sysdir% is the Windows System folder.

The following keys will also be used by the worm:

  •  [HKCU\SOFTWARE\Windows2000\gid]
  • [HKCU\SOFTWARE\Windows2000\frn]

Activity

The worm will access four different URLs contained within its body. They are located on three different web sites:

  •  www.47df.de
  • www.strato.de
  • intern.games-ring.de

The target of the URLs are PHP files, to which the worm will post information about the infected host, namely the port where the backdoor is listening and a randomly generated ID. Some of those hosts are already unavailable.

The worm will attempt to contact all of those URLs every 166 minutes, checking in every iteration whether its internal deadline has been reached.

This variant also contains a backdoor that will listen on port 8866. It provides access to the computer where the worm is running, where it allows to download and run any executable sent to the backdoor with a given format.


Email Propagation

The worm will send e-mails with the following characteristics:

  •  Subject: ID [random characters] ... thanks
  • body:
      
       Yours ID [random characters]
       --
      Thank
  • Attachment: [random characters].exe


To find new victims, the worm harvests addresses from files with the extensions:

  •  .html
  • .htm
  • .wab
  • .txt

It will avoid sending mail to addresses containing any of the following text strings:

  •  .r1u
  • @hotmail.com
  • @msn.com
  • @microsoft
  • @avp.