Bagle (Beagle) worm
| bagle-worm (14887) |  High Risk |
Description:
Bagle (also known as Beagle, W32/Bagle@MM, and W32.Beagle.A@mm) is a mass-mailing worm with the ability to access a remote Web site. Bagle uses an email to propagate, with the subject of "Hi" and the body of the message consisting of random characters as well as the phrases "Test =)" and "Test, yep."
Victims infect their system by opening the attached executable file, which has a random file name and is 15,872 bytes. If the local system date is greater than January 28, 2004, the worm does nothing. Otherwise, the worm installs itself, harvests addresses from several file types, and mails itself using its own mail application. The sender's address is forged using harvested addresses acquired during infection.
Platforms Affected:
- Microsoft, Windows 2000
- Microsoft, Windows 2003 Server
- Microsoft, Windows 95
- Microsoft, Windows 98
- Microsoft, Windows 98SE
- Microsoft, Windows Me
- Microsoft, Windows NT 4.0
- Microsoft, Windows XP
Remedy:
The X-Force has released the following Network Sensor 7.0 TRONS rule for the Bagle worm:
alert tcp any any -> any 25 (content: "Subject: Hi";content: "|0A| Test =)";msg: "Bagle Worm");
Proventia M customers are protected against the Bagle worm through Virus Protection.
For manual protection:
Use an up-to-date antivirus program to determine if the target computer is host to this worm. If the program detects a worm, follow its instructions to disinfect and repair the computer.
To manually remove the worm:
- In Windows Task Manager, locate and terminate the bbeagle.exe process.
- On Windows 9x and Windows Me, press CTRL-ALT-DELETE to display the Task Manager. On Windows NT, Windows 2000, and Windows XP, press CTRL-ALT-DELETE and select the Task Manager.
- On the Processes tab, highlight bbeagle.exe and then select End Process. Select Yes when the warning appears.
- Delete the bbeagle.exe file from the \windows\system32 \winnt\system32 directory.
- Use the Registry Editor to delete the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe
Consequences:
Gain Access
References:
- Computer Associates Virus Information Center, Win32.Bagle.A at http://www3.ca.com/virusinfo/virus.aspx?ID=38019.
- McAfee Virus Information Library, W32/Bagle@MM at http://vil.nai.com/vil/content/v_100965.htm.
- Sophos Virus Information, W32/Bagle-A at http://www.snpx.com/cgi-bin/news5.cgi?target=www.sophos.com/virusinfo/analyses/w32baglea.html.
- Trend Micro Virus Encyclopedia, WORM_BAGLE.A at http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.A.
- CVE-1999-0660: A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc.
Reported:
Jan 18, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net