Win32.Bagle.B Worm
Alias: I-Worm.Bagle.b (Kaspersky),
W32.Beagle.B@mm (Symantec),
W32/Bagle.B@mm (F-Secure),
W32/Bagle.b@MM (McAfee),
Win32/Bagle.B.Worm,
WORM_BAGLE.B (Trend)
Category: Win32
Type: Worm
Published Date: 2/17/2004
Last Modified: 2/17/2004
CHARACTERISTICS
Win32.Bagle.B is an Internet worm that spreads via e-mail. It also contains backdoor functionality. The worm is a 11,264-byte, UPX-compressed Win32 executable.
Method of Installation
When executed, Bagle.B copies itself to the %System% directory as au.exe. This file uses the wave sound file icon:
If the worm does not run from "%System%\AU.EXE", it launches Sound Recorder, sndrec32.exe, to hide its activities.
It also adds the following registry key to ensure that this copy is executed at Windows start:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\au.exe = "%System%\au.exe"
Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Additionally, it creates two further registry keys:
HKCU\SOFTWARE\Windows2000\gid = <eight digits>
HKCU\SOFTWARE\Windows2000\frn = 1
Method of Distribution
Via E-mail
Bagle spreads via e-mail using its own SMTP engine. It generates a list of addresses to send itself to by scanning and searching .wab, .txt, .htm, and .html files on an affected machine. It also uses these addresses in order to 'spoof' the 'From' address.
While scanning the worm will avoid any addresses containing @hotmail.com, @msn.com, @microsoft, @avp, and .r1u. Presumably, this is done to avoid immediate detection.
The worm mail has the following characteristics:
Subject: ID <random letters>... thanks
Message body:
Yours ID <random letters>>
--
Thank
The attachment uses random letters with an .EXE file extension.
Please see below for examples of e-mail generated by the worm:
Payload
Backdoor Functionality
The worm opens port 8866 ready to accept incoming connections from a remote user. It gives the controller unauthorized access to an affected machine, allowing them to take such actions as running an executable of the remote user's choice.
It also attempts to contact particular web sites:
http://www.strato.de/1.php
http://intern.games-ring.de/1.php
http://www.strato.de/2.php
Additional Information
If the worm is executed on the date 25th of February 2004 or later, the worm simply terminates.
Analysis by Sha-Li Hsieh
Alias: I-Worm.Bagle.b (Kaspersky),
W32.Beagle.B@mm (Symantec),
W32/Bagle.B@mm (F-Secure),
W32/Bagle.b@MM (McAfee),
Win32/Bagle.B.Worm,
WORM_BAGLE.B (Trend)
Category: Win32
Type: Worm
Published Date: 2/17/2004
Last Modified: 2/17/2004
CHARACTERISTICS
Win32.Bagle.B is an Internet worm that spreads via e-mail. It also contains backdoor functionality. The worm is a 11,264-byte, UPX-compressed Win32 executable.
Method of Installation
When executed, Bagle.B copies itself to the %System% directory as au.exe. This file uses the wave sound file icon:
If the worm does not run from "%System%\AU.EXE", it launches Sound Recorder, sndrec32.exe, to hide its activities.
It also adds the following registry key to ensure that this copy is executed at Windows start:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\au.exe = "%System%\au.exe"
Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Additionally, it creates two further registry keys:
HKCU\SOFTWARE\Windows2000\gid = <eight digits>
HKCU\SOFTWARE\Windows2000\frn = 1
Method of Distribution
Via E-mail
Bagle spreads via e-mail using its own SMTP engine. It generates a list of addresses to send itself to by scanning and searching .wab, .txt, .htm, and .html files on an affected machine. It also uses these addresses in order to 'spoof' the 'From' address.
While scanning the worm will avoid any addresses containing @hotmail.com, @msn.com, @microsoft, @avp, and .r1u. Presumably, this is done to avoid immediate detection.
The worm mail has the following characteristics:
Subject: ID <random letters>... thanks
Message body:
Yours ID <random letters>>
--
Thank
The attachment uses random letters with an .EXE file extension.
Please see below for examples of e-mail generated by the worm:
Payload
Backdoor Functionality
The worm opens port 8866 ready to accept incoming connections from a remote user. It gives the controller unauthorized access to an affected machine, allowing them to take such actions as running an executable of the remote user's choice.
It also attempts to contact particular web sites:
http://www.strato.de/1.php
http://intern.games-ring.de/1.php
http://www.strato.de/2.php
Additional Information
If the worm is executed on the date 25th of February 2004 or later, the worm simply terminates.
Analysis by Sha-Li Hsieh
