Bagle-A Worm is Spreading Fast

Security Threat Advisory
INVISUS Computer Security
January 20, 2004

Bagle Worm Installs a Backdoor, Trojan horse

Discovered on Jan 18th, the Bagle-A worm (also known as Beagle-A) is an easy to recognize, mass mailing virus that is distributed by an e-mail attachment. When the attachment is opened or activated by its receiver the worm then installs a program on the victim's computer that allows the worm to be e-mailed on to other users in the system's local address book. The worm also attempts to install a backdoor or Trojan horse on infected machines, listening for activity on port on 6777. As the first new important worm of the New Year, Bagle appears to have originated in Australia and is set to live only until January 28th, 2004, suggesting that tuned variations of the worm could appear as early next week.

The email message arrives appearing to be a test message from someone. The attachment has the Windows Calculator icon, and will launch the Calc.exe program to fool the user into thinking that's all they got. When a user executes Bagle's attachment, the virus puts copies of itself called "bbeagle.exe" into the Windows System folders and adds the following registry keys to allow it to run when the system is started:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, "d3update.exe" = "%system%\bbeagle.exe"

It also creates two more registry keys:

HKEY_CURRENT_USER\Software\Windows98, "uid" = "[Random Value]" HKEY_CURRENT_USER\Software\Windows98, "frun" = "1"

Once running, Bagle will attempt to connect with a PHP script on a series of internally hard-coded web sites. The virus listens on port 6777 for a malicious user (hacker) to connect.

Bagle's creators, like authors of many previous successful worms, have relied on the ignorance and curiosity of e-mail users for the worm's success. Given that most corporate e-mail servers block transmission of executable attachments, it is believed that home and medium-size business users are responsible for spreading the new worm. Another possible factor in the worm's success is the fact the worm's creators programmed the worm to e-mail itself to handful of popular domains to evade swift detection by dominant Web enterprises such as Hotmail, MSN and a large Russian computer security agency. Users who suspect their computers may be infected with the virus should look for a file called bbeagle.exe in their Windows System directory.

Details & Recommendations

Top Recommendation:

Do not open email attachments you were not expecting, even from people you know. Be sure you have the latest anti-virus update on your system.

What To Look For:

Subject Lines:

Hi!

Attachments:

Uses random file name with the .EXE extension.

Senders Address:

Varies. The "From" address is spoofed, and may appear to come from someone you know.

Email Body Text:

Test =)
rjptxjqstsqgtrployrq
--
Test, yep.