New Bagle Worm Spreading Rapidly

F-Secure is warning computer users about the Bagle.B email worm, which is a new variant of Bagle.A. Bagle.A (also known as Beagle) is a Windows email worm that was first discovered on January 17th, 2004, and became globally widespread in just 24 hours. From a technical point of view Bagle.B is quite simple. However, it is spreading rapidly most likely because of its rather innocent-looking mail message, that seems like it would contain an audio file. Another reason for the rapid replication is that the worm was initially mailed to a large number of users in the same way as spam messages. Bagle.B was therefore raised to Radar level 1 alert, which is the highest alert level. This is already the 3rd Radar Level 1 alert in a month, the two previous ones being Bagle.A and Mydoom.A.

The Bagle.B worm contains a backdoor that listens on TCP port 8866. Through this backdoor the worm author can connect to infected machines and execute arbitrary programs on them.

“At this moment it is hard to estimate how much damage this worm will cause”, says Mikael Albrecht, the Product Manager at F-Secure. “The backdoor that the worm contains can be very dangerous. It enables the virus author to inject malicious code at a later time. This kind of technique can for example be used to plant spam-rely agents in infected computers”, he continues.

Bagle.B spreads via email messages, but unlike the messages sent by its predecessor, these emails have random subjects and attachment names. The mail containing Bagle.B looks like this:

Subject:
ID … thanks

Body:
Yours ID
—
Thank

Attachment:
.exe

To fool the user the worm executable has an icon representing an audio file. When the user clicks on this EXE attachment, the worm will spread further. After this the worm runs the Windows Sound Recorder application.

The worm will collect email addresses aggressively from files in the infected computer. It will search through text- and HTML-files as well as the address book, and send a copy of itself to each address – except to addresses in domains belonging to Microsoft, MSN, Hotmail and AVP.

The worm is programmed to expire on February 25th, 2004. After this date the worm will stop spreading. This is based on the local system date of the infected machine, so the worm will continue to propagate from machines that have their date set wrong. This feature is similar to the one seen in the Sobig virus family. Sobig authors used the expiration date to remove outdated versions from the market in order to release new and improved versions of the worm.

Detailed technical description of the worm as well as screenshots are available in the F-Secure Virus Description Database at .