WORM_BAGLE.BE - Description and solution

WORM_BAGLE.BE

Overview

Aliases: Email-Worm.Win32.Bagle.be (Kaspersky), W32/Bagle.bn@MM (McAfee), W32.Beagle.BH@mm (Symantec), Worm/Bagle.BB.2 (Avira), Mal/Heuri-E (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

As of March 1, 2005 3:43 AM (Pacific Standard Time, GMT -8:00), TrendLabs has declared a Medium Risk Alert to control the spread of this new BAGLE variant that is spreading in New Zealand and Australia.

To get a one-glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.

WORM_BAGLE.BE Behavior Diagram

Malware Overview

WORM_BAGLE.BE attains its full propagation potential by employing another malware, specifically TROJ_BAGLE.BE. This malware tandem is responsible for a vicious worm-Trojan propagation cycle, wherein the worm mass-mails copies of the Trojan. The Trojan, in turn, downloads copies of the worm from a long list of predefined Web sites.

While this method is highly effective, it is not new. Previous BAGLE worm variants, particularly WORM_BAGLE.AC and WORM_BAGLE.AI, have been known to employ Trojan counterparts in order to spread. However, unlike WORM_BAGLE.BE, these variants also utilized HTML script files, which are responsible for executing their Trojan components.

TROJ_BAGLE.BE carries malicious routines apart from those exhibited by WORM_BAGLE.BE. Aside from downloading copies of its worm counterpart, this Trojan terminates several antivirus and security-related processes. It also prevents the user from accessing antivirus Web sites.

WORM_BAGLE.BE gathers target recipients from the contacts found in the Windows Address Book.

It also attempts to download the file EML.EXE into the Windows folder from the following URL:

http://<BLOCKED>careers.com/z/sss2.php

This file contains a list of recipients intended for it to send email to.

It attempts to download the file every 100 milliseconds until it succeeds. The contents of this URL, or the email addresses contained in the downloaded file may change at any given time.

The email message it sends out contains the following details:

Subject: <Blank>

Message body: (any of the following)
� price
� new price

Attachment: (any of the following)
� 08_price.zip
� new__price.zip
� new_price.zip
� newprice.zip
� price_08.zip
� price_new.zip
� price2.zip

Note that the attached file is a .ZIP copy of TROJ_BAGLE.BE. It contains a file named DOC_<decimal number>.EXE.

Since the worm gathers email addresses from the Windows Address book (WAB), the sender indicated in the From: field may be someone familiar. Home users and small-to-medium business (SMB) personnel are advised not to open, or better yet, delete emails containing any of the mentioned details, unless they are absolutely sure that the email and attachment is from a secure and trusted source. Administrators of enterprise networks may notice an increase in SMTP (port 25) traffic and can choose to block email with the outlined characteristics. They can also choose to block the download of files associated with this worm. Since this worm uses TCP port 80 for its backdoor routine, administrators can also filter access to this port. To help identify the email this worm sends, refer to the following screenshot: Feel free to browse through Trend Micro's wide range of antivirus and network security solutions: Personal and Home Networks Small/Medium Businesses Enterprise Networks For additional information about this threat, see: Solution Technical Details Description created: Mar. 1, 2005 3:46:29 AM GMT -0800 Search a new malware Tell us how we did. Take our quick survey.