[24hoursupport] Alert; Win32.Bagle.B / Bagle.B

  • From: "Mike" <mikebike@xxxxxxxxx>
  • To: 24hoursupport@xxxxxxxxxxxxx
  • Date: Tue, 17 Feb 2004 16:21:45 -0800


New Bagle worm spreading rapidly
W32.Beagle.B@mm, W32/Bagle.b@MM, Win32.Bagle.B, Bagle.B, W32/Tanx-A 

Risk: High

F-Secure is warning computer users about the Bagle.B email worm, which is a
new variant of Bagle.A. Bagle.A (also known as Beagle) is a Windows email
worm that was first discovered on January 17th, 2004, and became globally
widespread in just 24 hours. From a technical point of view Bagle.B is quite
simple. However, it is spreading rapidly most likely because of its rather
innocent-looking mail message, that seems like it would contain an audio
file. Another reason for the rapid replication is that the worm was
mailed to a large number of users in the same way as spam messages. 
Bagle.B was therefore raised to Radar level 1 alert, which is the highest
level. This is already the 3rd Radar Level 1 alert in a month, the two
previous ones being Bagle.A and Mydoom.A.

The Bagle.B worm contains a backdoor that listens on TCP port 8866. Through
this backdoor the worm author can connect to infected machines and execute
arbitrary programs on them. 

"At this moment it is hard to estimate how much damage this worm will
says Mikael Albrecht, the Product Manager at F-Secure. "The backdoor that
worm contains can be very dangerous. It enables the virus author to inject
malicious code at a later time. This kind of technique can for example be
used to plant spam-rely agents in infected computers", he continues. 

Bagle.B spreads via email messages, but unlike the messages sent by its
predecessor, these emails have random subjects and attachment names. The
containing Bagle.B looks like this:

ID <random characters>... thanks

Yours ID <random characters>

<random characters>.exe

To fool the user the worm executable has an icon representing an audio file.
When the user clicks on this EXE attachment, the worm will spread further.
After this the worm runs the Windows Sound Recorder application. 

The worm will collect email addresses aggressively from files in the
computer. It will search through text- and HTML-files as well as the address
book, and send a copy of itself to each address - except to addresses in
domains belonging to Microsoft, MSN, Hotmail and AVP.
The worm is programmed to expire on February 25th, 2004. After this date the
worm will stop spreading. This is based on the local system date of the
infected machine, so the worm will continue to propagate from machines that
have their date set wrong. This feature is similar to the one seen in the
Sobig virus family. Sobig authors used the expiration date to remove
versions from the market in order to release new and improved versions of

Detailed technical description of the worm as well as screenshots are
available in the F-Secure Virus Description Database at

F-Secure Anti-Virus can detect and remove the Bagle.B worm. F-Secure
Anti-Virus can be downloaded from http://www.f-secure.com. F-Secure has also
released a free disinfection tool, which can be used to remove Bagle.B from
infected systems.

Bagle Removers
Bagle is a mass-mailing worm that was found on 18th of January, 2004. 
The worm sends messages with the subject 'Hi' and random EXE attachment 
names. It has been programmed to stop spreading on 28th of January.
The Bagle removal tool can be downloaded in a ZIP file from: 


The unpacked version is available from: 

from information provied by F-secure

For more information;
Kaspersky Labs: (I-Worm.Bagle.b)

McAfee; (W32/Bagle.b@MM)
On line Scan for W32/Bagle.b@MM: 

Panda; (Bagle.B worm)
Panda Software has released its PQremove utility which detects 
and eliminates the Bagle.B worm from infected computers. 
This application also restores any changes this worm has made to 
the system configuration. 

This tool can be downloaded free of charge from

Symantec; (W32.Beagle.B@mm )

Trend; ( WORM_BAGLE.B )
Remover; http://www.trendmicro.com/download/dcs.asp


Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
A Technical Support Alliance  and OWTA Charter Member 

For a web-based membership management utility and information on list policies, 
please see http://nibec.com/24hoursupport/

To unsubscribe, send a blank email to 24hoursupport-request@xxxxxxxxxxxxx with 
"unsubscribe" (without quotes) in the subject.

Other related posts:

  • » [24hoursupport] Alert; Win32.Bagle.B / Bagle.B