Bagle.B

Bagle.B

Delete E-mails Containing "ID" in the Subject

17 February 2004

About the Virus

The latest worm spreading around the Internet has no less than three names: Bagle.B, Alua, and Tanx-A. We'll go with Bagle.B since, like Bagle (which was also called "Beagle"... !), this worm arrives in your Inbox as a simple e-mail message disguising a Trojaned attachment. If you run that attachment, Bagle.B gives full control of your computer to its author and then sends itself to all your friends and contacts. Early reports suggest Bagle.B has spread significantly already.

Distinguishing Characteristics

Bagle.B uses a lot of random characters as a half-hearted disguise, but you can readily spot it, since it repeats certain distinguishing features every time:

From: [Bagle.B spoofs the From address. It may appear to come from a friend or contact. If you receive a Bagle.B e-mail, don't blame the person it says it's from, because it wasn't really them.]

Subject: ID [6 random characters]... thanks

Body:

Yours ID [9 random characters]
--
Thank

Attachment: [7 random characters].EXE

If you run the attached executable, Bagle.B starts the Microsoft Sound Recorder program. However, in the background the worm busily copies itself to your Windows system directory and adjusts your registry so that it can restart whenever your computer does.

Next, Bagle gathers e-mail addresses from various files on your PC and sends itself  to those addresses three times, using its own SMTP engine.

Finally, Bagle installs a back door on your computer that listens on TCP port 8866.  It also sends HTTP GET requests to one of four Web sites (all in Germany), presumably notifing its author that your computer is ripe for the picking.

Reminiscent of the Sobig virus, the original Bagle had a cutoff date (12 February) and so does Bagle.B (25 February). In our first Bagle alert, we assumed the worm's author would release another variant after the cutoff, using each variant as a test case to further improve his Frankenstein-like creation. It appears we were right. Watch out for further Bagle variants some time after 25 February.

What you can do

• As always, remind your users never to open unexpected attachments from any source. Inform them that most modern viruses falsify the "From" field and appear to come from friends, co-workers and third parties.

• Most major anti-virus vendors already have signatures that detect Bagle.B. Check with your vendor for the latest update. (Your vendor might call this virus Alua or Tanx.)

• All WatchGuard firewalls block TCP port 8866 by default. Even if Bagle.B manages to infect one or more of your computers, its author will not be able to connect to it on your network (unless, for some reason, you have created a custom service specifically opening port 8866).