Bagle worm

Bagle wormW32/Bagle@MM, I-Worm.Bagle, W32.Beagle.A@mmMass-mailing email worm with remote access capabilitiesJanuary 18, 2004The Bagle worm arrives via email with a Subject line of "Hi" and a body that reads:

Test =)

Test, yep

The email carries a randomly named attachment with a .EXE extension. If the attachment is opened, it will infect the recipients system, launch the innocuous calc.exe (Calculator) program, and modify the registry to remain active upon reboot.Bagle peruses .wab, .txt, .htm, and .html files found on the infected system to harvest email addresses in order to send itself to future victims. Bagle uses its own SMTP engine to send the email, thus copies of the infected sent mail will not appear in the mail client's Sent Items folder.

The Bagle worm also attempts to download and execute the Mitglieder a.k.a. Lohav Trojan which acts as a proxy and attempts to download further files from the Internet.

Bagle drops the file bbeagle.exe to the Windows\System directory and modifies the System Registry as follows:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "d3dupdate.exe" = C:\WINNT\System32\bbeagle.exe

and

HKEY_CURRENT_USER\Software\Windows98 "frun"
HKEY_CURRENT_USER\Software\Windows98 "uid"

Because the worm is responsible for downloading other malware to the system, manual removal is not recommended. If your system displays signs of a Bagle infection (i.e. as witnessed by the above-mentioned registry keys or presence of the dropped file), use up-to-date antivirus software to thoroughly scan your system for it and other malware.

• Kaspersky description
• NAI description