News Stay informed about the latest enterprise technology news and product updates.

Bagle-A worm moving quickly

The latest mass-mailing worm carries an expiration date and opens an unassigned port, then waits for further instructions from its author.

You definitely don't want Bagle-A with your coffee this morning.

Bagle is a new mass-mailing worm, and it came on strong on Sunday, prompting antivirus software companies to raise threat alerts. The worm also opens an unassigned port, where it tries to listen for commands from the writer.

Finnish antivirus firm F-Secure Corp. has rated Bagle a level 1 threat, the company's highest rating, because of the worm's pervasiveness. U.K.-based e-mail content-scanning outsourcer MessageLabs Inc. had intercepted nearly 69,000 copies of the worm as of 9 a.m. EST today. McAfee Security and Trend Micro Inc., meanwhile, have Bagle rated as a medium risk. Symantec Corp. rated it a 2, or a low risk. U.K.-based Sophos PLC said it has received hundreds of reports from customers.

The worm is also called "Bagel" and "Beagle." The writer has included the word "beagle" throughout the code, but antivirus researchers have tweaked the name to avoid calling it what the writer presumably named it.

Bagle is such a basic worm in terms of functionality and social engineering that, initially, antivirus researchers expected little from it. Blocking executable files at the gateway, a recommended practice for enterprises, should prevent infection.

"We really thought it was never going to spread because it's so stupid," said Mikko Hypponen, manager of antivirus research for F-Secure. "But people seem to be clicking on it."

Compared to recent attacks, like the Mimail-P worm and the Xombe Trojan, which looked like legitimate messages from PayPal and Microsoft, respectively, Bagle seems downright primitive. Bagle's message uses the subject line "Hi," and the message contains randomly generated gibberish. A copy of Bagle intercepted by says:

Test =)
Test, yep.

The attached worm in the message looks like the Windows calculator icon. The worm uses a random name for the attached copy, which is probably done to prevent administrators from blocking a specific file name, said Graham Cluley, senior technology consultant at Sophos.

If the attachment is run, the worm verifies that the computer's internal calendar reads a date earlier than Jan. 28, 2004; the program will terminate if it reads a later date. The worm then executes the Windows calculator, calc.exe, as a smokescreen while it copies itself to the Windows system directory as "bbeagle.exe." It also creates a registry key so it will run at startup:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "d3dupdate.exe" = C:WINNTSystem32bbeagle.exe

Bagle creates these other registry keys as well:

HKEY_CURRENT_USERSoftwareWindows98 "frun"
HKEY_CURRENT_USERSoftwareWindows98 "uid"

The worm then searches the infected system's various files, including the Windows address book, as well as Web pages for e-mail addresses. The worm sends spoofed copies of itself to those addresses using its SMTP engine.

The one different thing Bagle tries is listening on TCP port 6777, presumably so it can take commands from the worm writer, experts said. But it appears a bug in the worm is preventing this functionality from working, Hypponen said. The worm may be from Germany or Russia -- it tries to connect to a series of Web sites based in those countries.

Users can check the Windows system directory to determine whether they've been infected. Removing the worm manually is just a matter of killing "bbeagle.exe" in the Task Manager. The registry keys created by the worm also need to be removed.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.