As with previous Bagle variants, Bagle.J spoofs the From address. It also sometimes borrows from the Sobig family, using the address admin@internet.com as the header From and Reply-To, while the envelope From is an address found somewhere on the infected system.
Discovered on March 2, 2004, Bagle.J is one of several worms engaged in something of a cyber-snit. Apparently angered over the success of Netsky.B, Netsky.C, and Netsky.D which remove registry edits made by other worms such as MyDoom.A, MyDoom.B, and certain Mimail variants, the Bagle.J worm includes an angry text string aimed at the Netsky worm author: "Hey, NetSky, f*ck off you b*tch, don't ruine our bussiness, wanna start a war ?"
As part of its infection routine, the Bagle.J worm drops a copy of itself named IRUN4.EXE to the Windows System folder and registers this copy via the system registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"ssate.exe" = C:\WINNT\SYSTEM32\irun4.exe
This allows the worm to launch each time Windows is started.
The Bagle.J worm uses clever social engineering to entice recipients into opening the infected attachment. The worm composes its email from various critieria, all designed to appear as a legitimate security warning from the recipient's domain administrators. An example of one of the Bagle.J email messages follows: (Note: the italics are for emphasis only. The actual email message does not contain italics).
- Dear user of "%domain%" mailing system,
Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.
For details see the attached file.
The Management,
The %domain% team http://www.%domain%
In the above example, %domain% will be whatever the recipient's domain actually is, possibly leading credence to the message and resulting in a higher open rate than might otherwise be expected with an email worm.
As with previous Bagle variants, Bagle.J attempts to shutdown the processes of various antivirus and security software found running on infected systems.
After 25 April 2004, the worm simply exits, it no longer spreads.
Also see:
