Beware of Bagle's Trojan
Published: 26 Jan 2004 12:05 GMT
The Bagle worm is the first seriously widespread virus or worm we've seen in quite a while, and the severity of the infection is increasing. Plus, administrators need to be aware of a backdoor that can be planted by this infection.
Details
Bagle, identified as Beagle by Symantec, is a mass-mailing worm that uses email addresses it locates on Web sites to spread itself. The worm will infect any Windows system later than Windows 3.x (Windows 95, Windows 98, Windows 2000, Windows XP, etc.). Non-Windows operating systems are not vulnerable. Bagle/Beagle's subject line simply says "Hi".
Symantec and other security firms report that this infection is widespread in the wild. Symantec increased the rating on this threat from two to three by 21 January 2004. The worm was initially discovered on 18 January 2004.
W32.Beagle.A@mm, as Symantec has officially labelled it, will not activate on a computer with a system date later than 28 January 2004, so this is a short-term attack, but until that date the worm will activate, make changes to the registry, and attempt to mail itself out to other users.
Even more dangerous, this worm also plants a back door and may be associated with a new Trojan that infects through the opened port.
Do you have a Bagle/Beagle infection?
For most users it's easy to detect an infection because the worm will launch the Windows calculator when it is activated. This is an attempt to disguise the infection, because the original email will often display the attachment as a calculator icon.
Symantec reports that the infection also opens Port 6777 (or possibly an alternate port), opens up the infected system to a remote attack, and notifies a remote Web site that the system is infected.
It's possible that one or more remote sites are responding to this backdoor by installing Trojan.Mitglieder.C on infected systems, because Symantec says that some users have reported finding this Trojan on systems infected by Bagle/Beagle. The Mitglieder Trojan is a new infection first reported on 20 January 2004. The Trojan functions as a mail forwarder, and appears to be designed to allow the attacker to transmit spam through the infected system.
Because of the back door installed by Bagle/Beagle and the possible infection by the Mitglieder Trojan, this should be considered a serious attack on both home and business systems. Virtually any program could be run on the host through the back door installed by the worm ,and Mitglieder, if it is associated with the worm, can easily trigger a Denial of Service (DoS) event, as well as open up the system's owner to various legal problems involved with transmitting spam.
These Web sites are in the list of those that Bagle/Beagle attempts to notify when it infects a system:
- www.elrasshop.de
- www.it-msc.de
- www.getyourfree.net
- www.dmdesign.de
- 64.176.228.13
- www.leonzernitsky.com
- 216.98.136.248
- 216.98.134.247
- www.cdromca.com
- www.kunst-in-templin.de
- vipweb.ru
- antol-co.ru
- www.bags-dostavka.mags.ru
- www.5x12.ru
- bose-audio.net
- www.sttngdata.de
- wh9.tu-dresden.de
- www.micronuke.net
- www.stadthagen.org
- www.beasty-cars.de
- www.polohexe.de
- www.bino88.de
- www.grefrathpaenz.de
- www.bhamidy.de
- www.mystic-vws.de
- www.auto-hobby-essen.de
- www.polozicke.de
- www.twr-music.de
- www.sc-erbendorf.de
- www.montania.de
- www.medi-martin.de
- vvcgn.de
- www.ballonfoto.com
- www.marder-gmbh.de
- www.dvd-filme.com
- www.smeangol.com
Fix
Symantec has provided a free removal tool for this infection. Sophos, which also reports this as a widespread worm, has provided these instructions to help remove the infection. Trend Micro, which classifies this worm as widely distributed and having a "high damage potential," also provides detailed instructions on manually removing this infection.
Final word
At the time this article is being published, Bagle/Beagle is still a developing threat so you should check with the various antivirus vendors for the latest information on both Bagle/Beagle and the Mitglieder Trojan spam mailer that may be associated with it.














