Content

W32/Bagle.u@MM

Type
Virus
SubType
E-mail worm
Discovery Date
03/26/2004
Length
8,208 bytes (FSG packed)
Minimum DAT
4344 (03/26/2004)
Updated DAT
5073 (07/12/2007)
Minimum Engine
5.1.00
Description Added
03/26/2004
Description Modified
04/13/2004 8:59 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update 13th April 2004 PDT --
This threat has had its risk assessment downgraded to Low-Profiled due to decreased prevalence.
--

-- Update 26th March 2004 03:21 PST --
This threat has had its risk assessment upgraded to Medium due to increased prevalence.
--

This is a new variant of W32/Bagle@MM . It is packed with FSG.

If you think that you may be infected with Bagle.u, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

Mail Propagation

This variant mass-mails itself to recipients extracted from the victim  machine. Addresses are harvested from the following files:

  • .wab
  • .txt
  • .msg
  • .htm
  • .shtm
  • .stm
  • .xml
  • .dbx
  • .mbx
  • .mdx
  • .eml
  • .nch
  • .mmf
  • .ods
  • .cfg
  • .asp
  • .php
  • .pl
  • .wsh
  • .adb
  • .tbb
  • .sht
  • .xls
  • .oft
  • .uin
  • .cgi
  • .mht
  • .dhtm
  • .jsp

The mails are formatted as follows:

From: (spoofed - using one of the harvested email addresses)
Subject: (blank)
Body: (blank)
Attachment: randomly named executable, with a .EXE extension

The worm does not mail itself to addresses containing the following:

  • @avp.
  • @microsoft

Remote Access Component

The worm also opens a port on the victim machine - TCP port 4751.

The worm sends notification via HTTP to a remote script (notification contains port number and ID number). Users should block outgoing HTTP traffic to the following domain:

  • http://www.werde.de

The exact functionality offered by this backdoor is under investigation. It is suspected that it may allow for the downloading and execution of other files (akin to that for W32/Mydoom.a@MM ).

Symptoms

  • Existence of the filenames and Registry keys detailed below.
  • TCP port 4751 open
  • outgoing HTTP traffic to the following domain:
    • http://www.werde.de
  • MSHEARTS.EXE game will be run (if present on victim machine) when the worm executes (unless executing as GIGABIT.EXE).

Method of Infection

The worm installs itself into %SysDir% as GIGABIT.EXE, for example:

  • C:\WINNT\SYSTEM32\GIGABIT.EXE

The following Registry key is added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run
    "gigabit.exe" = %SysDir%\gigabit.exe

(where %SysDir% is the Windows system directory, eg. C:\WINNT\SYSTEM32)

The following Registry key is created:

  • HKEY_CURRENT_USER\Software\Windows2004

Two values are stored within this key "fr1n" and "gsed".

The worm checks the system date when it is executed - if it is the 1st January 2005 or later, it terminates.

Removal

All Users :
Use specified engine and DAT files (or later) for detection and removal. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stinger
 Stinger has been updated to assist in detecting and repairing this threat.

Manual Removal Instructions

To remove this worm manually, please following the instructions below:

  1. Terminate the GIGABIT.EXE process using Windows task manager.
  2. Delete the following Registry keys (see Information on deleting registry keys ):
    • HKEY_CURRENT_USER\Software\Windows2004
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Run "gigabit.exe" = %SysDir%\GIGABIT.EXE
  3. Delete the following file:
    • %SysDir%\GIGABIT.EXE

(where %SysDir% is the Windows system directory, eg. C:\WINNT\SYSTEM32)

Additional Windows ME/XP removal considerations

McAfee Threatscan
ThreatScan users can detect the Bagle.u virus by running a Resource Discovery task using the following settings:

- Select the Port Scan option
- Select TCP Port Scan
- Enter the port number: 4751

McAfee Desktop Firewall
To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 4751.

Sniffer Customers:
Filters have been developed that will look for traffic for the .G, .H and .J variants of W32/Bagle [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Bagle.U (F-Secure)
  • W32.Beagle.U@mm (NAV)
  • W32/Bagle-U (Sophos)

Characteristics

Characteristics -

-- Update 13th April 2004 PDT --
This threat has had its risk assessment downgraded to Low-Profiled due to decreased prevalence.
--

-- Update 26th March 2004 03:21 PST --
This threat has had its risk assessment upgraded to Medium due to increased prevalence.
--

This is a new variant of W32/Bagle@MM . It is packed with FSG.

If you think that you may be infected with Bagle.u, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

Mail Propagation

This variant mass-mails itself to recipients extracted from the victim  machine. Addresses are harvested from the following files:

  • .wab
  • .txt
  • .msg
  • .htm
  • .shtm
  • .stm
  • .xml
  • .dbx
  • .mbx
  • .mdx
  • .eml
  • .nch
  • .mmf
  • .ods
  • .cfg
  • .asp
  • .php
  • .pl
  • .wsh
  • .adb
  • .tbb
  • .sht
  • .xls
  • .oft
  • .uin
  • .cgi
  • .mht
  • .dhtm
  • .jsp

The mails are formatted as follows:

From: (spoofed - using one of the harvested email addresses)
Subject: (blank)
Body: (blank)
Attachment: randomly named executable, with a .EXE extension

The worm does not mail itself to addresses containing the following:

  • @avp.
  • @microsoft

Remote Access Component

The worm also opens a port on the victim machine - TCP port 4751.

The worm sends notification via HTTP to a remote script (notification contains port number and ID number). Users should block outgoing HTTP traffic to the following domain:

  • http://www.werde.de

The exact functionality offered by this backdoor is under investigation. It is suspected that it may allow for the downloading and execution of other files (akin to that for W32/Mydoom.a@MM ).

Symptoms

Symptoms -

  • Existence of the filenames and Registry keys detailed below.
  • TCP port 4751 open
  • outgoing HTTP traffic to the following domain:
    • http://www.werde.de
  • MSHEARTS.EXE game will be run (if present on victim machine) when the worm executes (unless executing as GIGABIT.EXE).

Method of Infection

Method of Infection -

The worm installs itself into %SysDir% as GIGABIT.EXE, for example:

  • C:\WINNT\SYSTEM32\GIGABIT.EXE

The following Registry key is added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run
    "gigabit.exe" = %SysDir%\gigabit.exe

(where %SysDir% is the Windows system directory, eg. C:\WINNT\SYSTEM32)

The following Registry key is created:

  • HKEY_CURRENT_USER\Software\Windows2004

Two values are stored within this key "fr1n" and "gsed".

The worm checks the system date when it is executed - if it is the 1st January 2005 or later, it terminates.

Removal -

Removal -

All Users :
Use specified engine and DAT files (or later) for detection and removal. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stinger
 Stinger has been updated to assist in detecting and repairing this threat.

Manual Removal Instructions

To remove this worm manually, please following the instructions below:

  1. Terminate the GIGABIT.EXE process using Windows task manager.
  2. Delete the following Registry keys (see Information on deleting registry keys ):
    • HKEY_CURRENT_USER\Software\Windows2004
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Run "gigabit.exe" = %SysDir%\GIGABIT.EXE
  3. Delete the following file:
    • %SysDir%\GIGABIT.EXE

(where %SysDir% is the Windows system directory, eg. C:\WINNT\SYSTEM32)

Additional Windows ME/XP removal considerations

McAfee Threatscan
ThreatScan users can detect the Bagle.u virus by running a Resource Discovery task using the following settings:

- Select the Port Scan option
- Select TCP Port Scan
- Enter the port number: 4751

McAfee Desktop Firewall
To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 4751.

Sniffer Customers:
Filters have been developed that will look for traffic for the .G, .H and .J variants of W32/Bagle [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

Variants

Variants -

    N/A