B(e)agle

Beagle Virus Fetches Zombie PCs for Master

19 January 2004

About the Virus

Most anti-virus vendors are calling it Bagle, while Symantec calls it Beagle; in either case, this extremely simple virus is infecting thousands of PCs. Technically known as W32/Bagle@MM, the simple yet effective virus was first discovered on Sunday 18 January. Beagle disguises itself as a short test message containing an .EXE attachment. Unfortunately, if you run the attachment Beagle installs a backdoor onto your computer and invites its author to take control. Then it sends itself to all your friends and contacts. You'd think, by now, most users wouldn't touch .EXE attachments with a ten-foot cursor. However, according to anti-virus vendors, Beagle has already spread to 80,000 computers.

Distinguishing Characteristics

You'll easily recognize Beagle since it uses the same Subject and Message body, and always comes with a randomly-named EXE file attachment:

Subject: Hi

Body:

Test =)
[random sequence of characters]
--
Test, yep.

Attachment: [random sequence of characters].EXE

If you run the attached executable, Beagle starts Microsoft Window's calculator program. That might seem harmless, yet in the background Beagle also copies itself to your default Windows System directory and adds some registry entries to ensure it can restart after your next reboot. (The name of the file it inserts, bbeagle.exe, is why we side with the minority in referring to the virus as "Beagle.")

Next, Beagle gathers e-mail addresses from various files on your PC and sends itself  to those addresses, three times, using its own SMTP engine.

Finally, Beagle installs a back door on your computer that listens on TCP port 6777.  It then notifies its author about your hacked computer by sending information to one of three dozen Web sites, many of them in Germany. Beagle tries to invoke a script at these Web sites, but as we wrote this, the script was not present on the sites -- in other words, the sites aren't accepting Beagle's information.

Like Sobig, Beagle has a cutoff date. The virus will no longer infect victims on or after January 28, 2004. We'll have to wait and see if Beagle's author has new tricks in store for us once this first creation expires. To paraphrase the "tomato/tom-ah-to" song Fred Astaire sang, "They call it Bagle, and we call it Beagle ... let's call the whole thing off!"

What you can do

• As always, remind your users never to open unexpected attachments from any source. Inform them that most modern viruses falsify the "From" field and appear to come from friends, co-workers and third parties.

• Most major anti-virus vendors already have signatures that detect B(e)agle. Check with your vendor for the latest update.