McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Bagle (AVP)

• W32.Beagle.A@mm (Symantec)

• W32/Bagle-A (Sophos)

• W32/Bagle.A@mm (F-Secure)

• WORM_BAGLE.A (Trend)

Characteristics

-- Update January 23, 2004 --
The risk assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence.

-- Update January 22, 2004 --
AVERT has received a slightly modified sample of this worm, which is detected with the same DATs and Engine as the initial variant. No field submissions of this modified sample have been received at the time of writing.

This is a mass-mailing worm with a remote access component.  The worm arrives in an email message with the following characteristics:

From: (address may be forged)
Subject: Hi
Body:
 Test =)
(random characters)
--
Test, yep.

Attachment: (random filename) 15,872 bytes

example:

frjujs.exe

When the attachment is run, the virus checks the system date.  If the date is January 28, 2004 or later, the virus simply exits and does not propagate.  Otherwise, the virus executes the standard Windows calculator program CALC.EXE. Meanwhile, the virus copies itself to the WINDOWS SYSTEM directory (%SysDir%) as bbeagle.exe , and creates a registry key to load itself at system startup:

•  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "d3dupdate.exe" = C:\WINNT\System32\bbeagle.exe

Two additional keys are created:

•  HKEY_CURRENT_USER\Software\Windows98 "frun"
•  HKEY_CURRENT_USER\Software\Windows98 "uid"

Mass-mailing Component
The worm harvests addresses from the following files and mails itself to those recipients, using its own SMTP engine.

• .wab
• .txt
• .htm
• .html

The virus spoofs the sender address by using a harvested address in the FROM field. The first message sent by the virus uses the same harvested address in the TO and FROM fields.  The second message is sent to a different address, while the FROM field remains the same.  The third message is sent to a third address, and the FROM field contains the second address and so on.

The virus does not mass-mail itself to addresses that contain one of the following strings:

• @hotmail.com
• @msn.com
• @microsoft
• @avp.
  

Remote Access Component
The virus listens on TCP port 6777 for remote connections.  It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites.  At the time of this writing this script does not exist on any of these sites. 

• www.elrasshop.de
• www.it-msc.de
• www.getyourfree.net
• www.dmdesign.de
• 64.176.228.13
• www.leonzernitsky.com
• 216.98.136.248
• 216.98.134.247
• www.cdromca.com
• www.kunst-in-templin.de
• vipweb.ru
• antol-co.ru
• www.bags-dostavka.mags.ru
• www.5x12.ru
• bose-audio.net
• www.sttngdata.de
• wh9.tu-dresden.de
• www.micronuke.net
• www.stadthagen.org
• www.beasty-cars.de
• www.polohexe.de
• www.bino88.de
• www.grefrathpaenz.de
• www.bhamidy.de
• www.mystic-vws.de
• www.auto-hobby-essen.de
• www.polozicke.de
• www.twr-music.de
• www.sc-erbendorf.de
• www.montania.de
• www.medi-martin.de
• vvcgn.de
• www.ballonfoto.com
• www.marder-gmbh.de
• www.dvd-filme.com
• www.smeangol.com

Symptoms

Method of Infection

Manually executing an infected email attachment infects the local system, which is then used to email the virus to others.

Removal

All Users :
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stand-alone Remover
Stinger has been updated to include detection and removal for this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
   - WinNT/2K/XP - Terminate the process BBEAGLE.EXE
2. Delete the file BBEAGLE.EXE  from your WINDOWS SYSTEM directory (typically c:\windows\system32 or c:\winnt\system32)
3. Edit the registry
   • Delete the "d3dupdate.exe" value from
     • HKEY_CURRENT_USER\SOFTWARE\Microsoft\
       Windows\CurrentVersion\Run

Additional Windows ME/XP removal considerations

Sniffer Customers: Filters have been developed that will look for Bagle traffic [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

• W32_Bagle@MM Sniffer Filters.zip

McAfee Security Threatscan:
ThreatScan signatures that can detect the W32/Bagle@MM virus are available.

• Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
• Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Bagle (AVP)

• W32.Beagle.A@mm (Symantec)

• W32/Bagle-A (Sophos)

• W32/Bagle.A@mm (F-Secure)

• WORM_BAGLE.A (Trend)

Characteristics

Characteristics -

-- Update January 23, 2004 --
The risk assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence.

-- Update January 22, 2004 --
AVERT has received a slightly modified sample of this worm, which is detected with the same DATs and Engine as the initial variant. No field submissions of this modified sample have been received at the time of writing.

This is a mass-mailing worm with a remote access component.  The worm arrives in an email message with the following characteristics:

From: (address may be forged)
Subject: Hi
Body:
 Test =)
(random characters)
--
Test, yep.

Attachment: (random filename) 15,872 bytes

example:

frjujs.exe

When the attachment is run, the virus checks the system date.  If the date is January 28, 2004 or later, the virus simply exits and does not propagate.  Otherwise, the virus executes the standard Windows calculator program CALC.EXE. Meanwhile, the virus copies itself to the WINDOWS SYSTEM directory (%SysDir%) as bbeagle.exe , and creates a registry key to load itself at system startup:

•  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "d3dupdate.exe" = C:\WINNT\System32\bbeagle.exe

Two additional keys are created:

•  HKEY_CURRENT_USER\Software\Windows98 "frun"
•  HKEY_CURRENT_USER\Software\Windows98 "uid"

Mass-mailing Component
The worm harvests addresses from the following files and mails itself to those recipients, using its own SMTP engine.

• .wab
• .txt
• .htm
• .html

The virus spoofs the sender address by using a harvested address in the FROM field. The first message sent by the virus uses the same harvested address in the TO and FROM fields.  The second message is sent to a different address, while the FROM field remains the same.  The third message is sent to a third address, and the FROM field contains the second address and so on.

The virus does not mass-mail itself to addresses that contain one of the following strings:

• @hotmail.com
• @msn.com
• @microsoft
• @avp.
  

Remote Access Component
The virus listens on TCP port 6777 for remote connections.  It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites.  At the time of this writing this script does not exist on any of these sites. 

• www.elrasshop.de
• www.it-msc.de
• www.getyourfree.net
• www.dmdesign.de
• 64.176.228.13
• www.leonzernitsky.com
• 216.98.136.248
• 216.98.134.247
• www.cdromca.com
• www.kunst-in-templin.de
• vipweb.ru
• antol-co.ru
• www.bags-dostavka.mags.ru
• www.5x12.ru
• bose-audio.net
• www.sttngdata.de
• wh9.tu-dresden.de
• www.micronuke.net
• www.stadthagen.org
• www.beasty-cars.de
• www.polohexe.de
• www.bino88.de
• www.grefrathpaenz.de
• www.bhamidy.de
• www.mystic-vws.de
• www.auto-hobby-essen.de
• www.polozicke.de
• www.twr-music.de
• www.sc-erbendorf.de
• www.montania.de
• www.medi-martin.de
• vvcgn.de
• www.ballonfoto.com
• www.marder-gmbh.de
• www.dvd-filme.com
• www.smeangol.com

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Manually executing an infected email attachment infects the local system, which is then used to email the virus to others.

Removal -

Removal -

All Users :
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stand-alone Remover
Stinger has been updated to include detection and removal for this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
   - WinNT/2K/XP - Terminate the process BBEAGLE.EXE
2. Delete the file BBEAGLE.EXE  from your WINDOWS SYSTEM directory (typically c:\windows\system32 or c:\winnt\system32)
3. Edit the registry
   • Delete the "d3dupdate.exe" value from
     • HKEY_CURRENT_USER\SOFTWARE\Microsoft\
       Windows\CurrentVersion\Run

Additional Windows ME/XP removal considerations

Sniffer Customers: Filters have been developed that will look for Bagle traffic [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

• W32_Bagle@MM Sniffer Filters.zip

McAfee Security Threatscan:
ThreatScan signatures that can detect the W32/Bagle@MM virus are available.

• Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
• Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

Variants

Variants -

N/A