Name:
Bagle worm
Also known as:
W32/Bagle@MM, I-Worm.Bagle, W32.Beagle.A@mm
Type:
Mass-mailing email worm with remote access capabilities
Discovered:
January 18, 2004
Description:
The Bagle worm arrives via email with a Subject line of "Hi" and a body that reads:
The email carries a randomly named attachment with a .EXE extension. If the attachment is opened, it will infect the recipients system, launch the innocuous calc.exe (Calculator) program, and modify the registry to remain active upon reboot.
Bagle peruses .wab, .txt, .htm, and .html files found on the infected system to harvest email addresses in order to send itself to future victims. Bagle uses its own SMTP engine to send the email, thus copies of the infected sent mail will not appear in the mail client's Sent Items folder.
The Bagle worm also attempts to download and execute the Mitglieder a.k.a. Lohav Trojan which acts as a proxy and attempts to download further files from the Internet.
System impact:
Bagle drops the file bbeagle.exe to the Windows\System directory and modifies the System Registry as follows:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "d3dupdate.exe" = C:\WINNT\System32\bbeagle.exe
and
HKEY_CURRENT_USER\Software\Windows98 "frun"
HKEY_CURRENT_USER\Software\Windows98 "uid"
Manual removal:
Because the worm is responsible for downloading other malware to the system, manual removal is not recommended. If your system displays signs of a Bagle infection (i.e. as witnessed by the above-mentioned registry keys or presence of the dropped file), use up-to-date antivirus software to thoroughly scan your system for it and other malware.
Vendor Descriptions:
Bagle worm
Also known as:
W32/Bagle@MM, I-Worm.Bagle, W32.Beagle.A@mm
Type:
Mass-mailing email worm with remote access capabilities
Discovered:
January 18, 2004
Description:
The Bagle worm arrives via email with a Subject line of "Hi" and a body that reads:
- Test =)
Test, yep
The email carries a randomly named attachment with a .EXE extension. If the attachment is opened, it will infect the recipients system, launch the innocuous calc.exe (Calculator) program, and modify the registry to remain active upon reboot.
Bagle peruses .wab, .txt, .htm, and .html files found on the infected system to harvest email addresses in order to send itself to future victims. Bagle uses its own SMTP engine to send the email, thus copies of the infected sent mail will not appear in the mail client's Sent Items folder.
The Bagle worm also attempts to download and execute the Mitglieder a.k.a. Lohav Trojan which acts as a proxy and attempts to download further files from the Internet.
System impact:
Bagle drops the file bbeagle.exe to the Windows\System directory and modifies the System Registry as follows:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "d3dupdate.exe" = C:\WINNT\System32\bbeagle.exe
and
HKEY_CURRENT_USER\Software\Windows98 "frun"
HKEY_CURRENT_USER\Software\Windows98 "uid"
Manual removal:
Because the worm is responsible for downloading other malware to the system, manual removal is not recommended. If your system displays signs of a Bagle infection (i.e. as witnessed by the above-mentioned registry keys or presence of the dropped file), use up-to-date antivirus software to thoroughly scan your system for it and other malware.
Vendor Descriptions: