Bagle.B is a mass-mailing email worm that spoofs the email's From address. Doing so can result in a large number of erroneous alert messages from various antivirus vendors. These alerts not only contribute to the overall worm traffic, but sometimes can contain actual copies of the infected email and attachment. Users who receive these alerts are at risk of infection should they open the attachment to determine what email was allegedly blocked. The act of spoofing the From address can also cause perfectly innocent people to be accused of sending the worm. Ironically, the one person least likely to be infected is the person whose name appears in the From field.
Bagle.B harvests email addresses from .HTM, .HTML, .TXT, and .WAB files found on the system and uses these addresses to send itself to others - one of which will end up being used as the spoofed From address. The email worm will not send itself to the following domains: Hotmail, MSN, Microsoft, or AVP.
The email message composed by Bagle.B appears as follows:
- From : <spoofed address>
Subject : ID <random string of characters>... thanks
Body :
Yours ID <random string of characters>
--
Thank
The attachment is a randomly named EXE file and is 11,264 bytes in size. It has an icon representing an audio file. If executed, the worm will first launch the Windows "Sound Recorder" application, presumably to mask its infection intent.
Bagle.B drops a copy of itself to the Windows\System folder as AU.EXE. To launch whenever Windows is restarted, the worm modifies the registry as follows:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
au.exe = C:\Windows\System\ au.exe
(Where C:\Windows\System\ signifies the location of the user's Windows
System directory - the actual name of the folders may vary as a result).
The worm also makes two additional registry additions:
HKEY_CURRENT_USER\SoftwareWindows2000\gid
HKEY_CURRENT_USER\SoftwareWindows2000\frn
Upon infection, Bagle.B listens on TCP port 8866 for remote connections, sending an HTTP GET request to a remote server, presumably to notify the worm's author. The following domains are involved and blocking is recommended:
- http://www.47df.de
http://www.strato.de
http://intern.games-ring.de
http://www.strato.de
Removing the worm
Because Bagle.B sets up a backdoor on infected systems, other malware may have been introduced to the system. If you suspect a Bagle.B infection, use updated antivirus software to detect and remove and threats found. Employ a personal firewall, such as the free and highly recommended ZoneAlarm to protect against unwanted traffic to and from your system.
The Bagle.B worm is programmed to stop spreading on February 25, 2004.
Also see:
