Bagle.BE email worm

Discovered on March 1, 2005 in conjunction with several mass-spammed Bagle-like Trojans, Bagle.BE arrives in an email with a blank subject line, a message body that reads either 'price' or 'new price' and an attachment named one of the following: 'price.zip', 'price2.zip', 'price_new.zip', 'price_08.zip', '08_price.zip', 'newprice.zip', 'new_price.zip', or 'new__price.zip'.

Bagle.BE attempts to delete Registry keys related to various security software. The Bagle.BE worm drops windlhhl.exe to the Windows System folder and creates the following Registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru1n

The Bagle.BE email worm then modifies the newly created HKCU..\Ru1n key to point to the dropped windlhhl.exe file.

The Bagle.BE email worm opens a backdoor on port 80, and attempts to download a file from a remote website. The Bagle.BE email worm then attempts to mass-mail the Bagle Trojan identified by Sophos as Troj/BagleDl-L and by Symantec as Trojan.Tooso.B.

The Bagle.BE worm email may be identified by F-Secure as Bagle.BE, Symantec as W32/Beagle.BG and by Trend Micro as WORM_BAGLE.BE.

Avoidance/Prevention
To avoid infection, do not open email attachments received unexpectedly, regardless of the source. Most modern email threats spoof the From sender, thus a worm or Trojan email will most likely appear to be from someone you know and trust.

See also: Troj/BagleDl-L description