New Worm/Virus: Bagle

by Rob Zorn
from the February 2004 Newsletter

Bagle is a new mass-mailing worm that has been coming on strong since last weekend. Upon infection the worm opens an unassigned port, where it tries to listen for commands from the original writer.

The worm is also called "Bagel" and "Beagle" as the writer has included the word "beagle" throughout the code. It is a very basic worm in terms of functionality and social engineering; so much so that, initially, antivirus researchers expected little from it. However, people seem to be clicking on it nevertheless, and its spread has therefore been rapid.

Bagle's message uses the subject line "Hi," and the message contains randomly generated gibberish such as the example below:

Test =)
rjptxjqstsqgtrployrq
--
Test, yep.

The worm attached to the message looks like the Windows calculator icon. The worm uses a random name for the attached copy, which is probably designed to prevent administrators from blocking a specific file name.

If the attachment is run, the worm verifies that the computer's internal calendar reads a date earlier than 28 January 2004. The program will terminate itself if it reads a later date. If the date is earlier than 28 January, the worm executes the Windows calculator (calc.exe) as a smokescreen while it copies itself to the Windows system directory as "bbeagle.exe." It also creates a registry key so it will run at start-up.

The worm then searches the infected system's various files, including the Windows address book, as well as Web pages for e-mail addresses. It then sends copies of itself to those addresses using its built in e-mail engine.

The fact that Bagle (possibly from Germany or Russia) tries listening for what are presumably commands from its maker, and that it de-activates after 28 January is a concern. It is likely that this is part of some update functionality in preparation of a more severe attack later. But it appears a bug in the worm may be preventing this functionality from working.

Removing the worm is relatively easy and a Removal tool is downloadable form the Norman anti-Virus site at http://www.norman.com/virus_info/w32_bagle_a_mm.shtml.

Customers are encouraged to update their virus definitions and to avoid clicking attachments they are unsure of. Those subscribed to the Actrix CyberScan anti-virus service can be assured that it is picking up and removing the virus.

Click here to find out more about CyberScan.

More information on the virus is available from:
http://www.stuff.co.nz/stuff/0,2106,2788620a28,00.html and
http://www.norman.com/virus_info/w32_bagle_a_mm.shtml.