New Bagle worm spreading rapidly Aliases: W32.Beagle.B@mm, W32/Bagle.b@MM, Win32.Bagle.B, Bagle.B, W32/Tanx-A Risk: High F-Secure is warning computer users about the Bagle.B email worm, which is a new variant of Bagle.A. Bagle.A (also known as Beagle) is a Windows email worm that was first discovered on January 17th, 2004, and became globally widespread in just 24 hours. From a technical point of view Bagle.B is quite simple. However, it is spreading rapidly most likely because of its rather innocent-looking mail message, that seems like it would contain an audio file. Another reason for the rapid replication is that the worm was initially mailed to a large number of users in the same way as spam messages. Bagle.B was therefore raised to Radar level 1 alert, which is the highest alert level. This is already the 3rd Radar Level 1 alert in a month, the two previous ones being Bagle.A and Mydoom.A. The Bagle.B worm contains a backdoor that listens on TCP port 8866. Through this backdoor the worm author can connect to infected machines and execute arbitrary programs on them. "At this moment it is hard to estimate how much damage this worm will cause", says Mikael Albrecht, the Product Manager at F-Secure. "The backdoor that the worm contains can be very dangerous. It enables the virus author to inject malicious code at a later time. This kind of technique can for example be used to plant spam-rely agents in infected computers", he continues. Bagle.B spreads via email messages, but unlike the messages sent by its predecessor, these emails have random subjects and attachment names. The mail containing Bagle.B looks like this: Subject: ID <random characters>... thanks Body: Yours ID <random characters> -- Thank Attachment: <random characters>.exe To fool the user the worm executable has an icon representing an audio file. When the user clicks on this EXE attachment, the worm will spread further. After this the worm runs the Windows Sound Recorder application. The worm will collect email addresses aggressively from files in the infected computer. It will search through text- and HTML-files as well as the address book, and send a copy of itself to each address - except to addresses in domains belonging to Microsoft, MSN, Hotmail and AVP. The worm is programmed to expire on February 25th, 2004. After this date the worm will stop spreading. This is based on the local system date of the infected machine, so the worm will continue to propagate from machines that have their date set wrong. This feature is similar to the one seen in the Sobig virus family. Sobig authors used the expiration date to remove outdated versions from the market in order to release new and improved versions of the worm. Detailed technical description of the worm as well as screenshots are available in the F-Secure Virus Description Database at http://www.f-secure.com/v-descs/bagle_b.shtml F-Secure Anti-Virus can detect and remove the Bagle.B worm. F-Secure Anti-Virus can be downloaded from http://www.f-secure.com. F-Secure has also released a free disinfection tool, which can be used to remove Bagle.B from infected systems. Bagle Removers Bagle is a mass-mailing worm that was found on 18th of January, 2004. The worm sends messages with the subject 'Hi' and random EXE attachment names. It has been programmed to stop spreading on 28th of January. The Bagle removal tool can be downloaded in a ZIP file from: http://www.f-secure.com/tools/f-bagle.zip ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip The unpacked version is available from: http://www.f-secure.com/tools/f-bagle.exe ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe http://www.f-secure.com/tools/f-bagle.txt ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt _________________________ from information provied by F-secure For more information; Kaspersky Labs: (I-Worm.Bagle.b) (http://www.viruslist.com/eng/viruslist.html?id=984012 McAfee; (W32/Bagle.b@MM) http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101030 On line Scan for W32/Bagle.b@MM: http://us.mcafee.com/root/mfs/default.asp Panda; (Bagle.B worm) http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx? Panda Software has released its PQremove utility which detects and eliminates the Bagle.B worm from infected computers. This application also restores any changes this worm has made to the system configuration. This tool can be downloaded free of charge from http://www.pandasoftware.com/download/utilities. Symantec; (W32.Beagle.B@mm ) http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.b@xxxxxxx Trend; ( WORM_BAGLE.B ) http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.B Remover; http://www.trendmicro.com/download/dcs.asp ____________________________________________________________ Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member For a web-based membership management utility and information on list policies, please see http://nibec.com/24hoursupport/ To unsubscribe, send a blank email to 24hoursupport-request@xxxxxxxxxxxxx with "unsubscribe" (without quotes) in the subject.