Summary
This type of worm is embedded in an email attachment, and spreads using the infected computer's emailing networks.
Removal
For removal instructions specific to Bagle infections, see Email-Worm:W32/Bagle.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First, check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Email-Worm:W32/Bagle.B was first found on 17th of February 2004. Once installed, Bagle.B installs a backdoor on the infected machine and attempts to communicate details of the host to a remote site.
Bagle.B propagates using messages with the subject 'ID [random string]... thanks' and random EXE attachment names. The worm's executable file, which was attached to the messages, used an icon representing an audio file.
Fortunately, Bagle.B was programmed to stop spreading on 25th of February 2004.
Installation
On execution, the worm launchs the Windows "Sound Recorder", executing the Windows application "sndrec32.exe", as a decoy.
The worm copies itself to:
- %sysdir%\au.exe
and modifies the registry to point to it:
- [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]"au.exe" = %sysdir%\au.exe
Where %sysdir% is the Windows System folder.
The following keys will also be used by the worm:
- [HKCU\SOFTWARE\Windows2000\gid]
- [HKCU\SOFTWARE\Windows2000\frn]
Activity
The worm will access four different URLs contained within its body. They are located on three different web sites:
- www.47df.de
- www.strato.de
- intern.games-ring.de
The target of the URLs are PHP files, to which the worm will post information about the infected host, namely the port where the backdoor is listening and a randomly generated ID. Some of those hosts are already unavailable.
The worm will attempt to contact all of those URLs every 166 minutes, checking in every iteration whether its internal deadline has been reached.
This variant also contains a backdoor that will listen on port 8866. It provides access to the computer where the worm is running, where it allows to download and run any executable sent to the backdoor with a given format.
Email Propagation
The worm will send emails with the following characteristics:
- Subject: ID [random characters] ... thanks
- body: Yours ID [random characters] -- Thank
- Attachment: [random characters].exe
To find new victims, the worm harvests addresses from files with the extensions:
- .html
- .htm
- .wab
- .txt
It will avoid sending mail to addresses containing any of the following text strings:
- .r1u
- @hotmail.com
- @msn.com
- @microsoft
- @avp.
Protect your devices from malware with F‑Secure Total
Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.
Award‑winning antivirus and malware protection
Online browsing, banking, and shopping protection
24/7 online identity and data breach monitoring
Unlimited VPN service to safeguard your privacy
Password manager with private data protection
Choose how many devices you want to protect to get started.
Free customer support
Cancel anytime
The trial does not obligate you to buy the product
After 30 days your subscription will renew automatically for one year at €69.99.
)
)
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.