WORM_BAGLE.AI - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_BAGLE.AI

Overview

Solution

Technical Details

Malware type: Worm

Aliases: W32/Bagle.ai@MM (McAfee), W32.Beagle.AG@mm (Symantec), Worm/Bagle.AI (Avira), Mal/Packer (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

Similar to the earlier BAGLE variant, WORM_BAGLE.AC, this worm does not directly send itself via email to target recipients as an email attachment. Instead, it makes use of a Trojan downloader component and an HTML script component to propagate.

(Note: Trend Micro detects the Trojan and HTML components as TROJ_BAGLE.AI and HTML_BAGLE.AI, respectively.)

This worm sends an email with a spoofed sender's name and the subject, Foto. The message body varies, while the attachment is either FOTO.ZIP or FOTOS.ZIP.

It harvests its target recipients from certain files found on a system, but it noticeably avoids sending email to addresses that contain certain strings.

HTML_BAGLE.AI is specifically designed to trigger the execution of the Trojan downloader component. This HTML script exploits a known security vulnerability affecting Microsoft virtual machine to accomplish its intended task.

(Note: For more details about the Microsoft vulnerability, please click here.)

TROJ_BAGLE.AI, on the other hand, downloads and executes WORM_BAGLE.AI as _RE_FILE.EXE in the Windows folder from a list of Web sites. It also creates an autorun registry entry to ensure its automatic execution at system startup, which, in an indirect way, also serves to ensure the automatic execution of the worm at every startup.

Apart from the email propagation described, this worm also attempts to propagate via network shares by dropping copies of itself in folders that contain the string shar in their names. It assumes that these folders are shared in local networks or in peer-to-peer networks.

Like earlier BAGLE variants, this worm also tries to remove instances of NETSKY worms from the infected system. It does the mentioned routine by creating mutexes that are mostly associated with earlier NETSKY variants.

(Note: Mutexes are exclusion objects that prevent processes from sharing the same resources. This worm uses the mutexes to prevent the NETSKY variants from running on infected systems.)

For additional information about this threat, see:
Solution
Technical Details

Description created: Aug. 31, 2004 12:17:49 PM GMT -0800
Description updated: Aug. 31, 2004 12:21:41 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.