WORM_BAGLE.BM - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_BAGLE.BM

Also known as: CME-477

Overview

Solution

Technical Details

Malware type: Worm

Aliases: W32/Bagle.gen@MM (McAfee), W32.Beagle.BY@mm (Symantec), Worm/Bagle.BQ (Avira), W32/Bagle-BW (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

This worm propagates by mass-mailing copies of itself to email addresses it gathers from an affected system's Windows Address Book (WAB), as well as from files with specific extension names.

The email message that it sends contain the following details:

From: {Spoofed}

Subject: (any of the following)
� Changes..
� Encrypted document
� Fax Message
� Forum notify
� Incoming message
� Notification
� Pass - {Random characters}
� Password - {Random characters}
� Password: {Random characters}
� Protected message
� Re:
� Re: Document
� Re: Hello
� Re: Hi
� Re: Incoming Message
� RE: Incoming Msg
� RE: Message Notify
� Re: Msg reply
� RE: Protected message
� RE: Text message
� Re: Thank you!
� Re: Thanks :)
� Re: Yahoo!
� Site changes
� Update

Message body: (any of the following)
� Archive password: {Image}
� Attach tells everything.
� Attached file is protected with the password for security reasons. Password is {Image}
� Attached file tells everything.
� Check attached file for details.
� Check attached file.
� For security purposes the attached file is password protected. Password -- {Image}
� For security reasons attached file is password protected. The password is {Image}
� Here is the file.
� In order to read the attach you have to use the following password: {Image}
� Message is in attach
� More info is in attach
� Note: Use password {Image} to open archive.
� Password - {Image}
� Password: {Image}
� Pay attention at the attach.
� Please, have a look at the attached file.
� Please, read the document.
� Read the attach.
� See attach.
� See the attached file for details.
� Try this.
� Your document is attached.
� Your file is attached.

Attachment: (any combination of the following file names and extension names)

File name: � Details
� Document
� Info
� Information
� Message
� MoreInfo
� Readme
� Sources
� text_document
� Updates

Extension:
� EXE
� ZIP

It also drops copies of itself in all folders that contain the text string shar. It uses the said routine to make itself available to other machines on a network, banking on the probability that the folder with the text string shar is a network shared folder.

It utilizes social engineering by using file names of legitimate programs or using interesting file names to entice other users to click on its dropped files.

This worm opens and listens to port 9030, where it waits for commands from a remote user. Once connected, it is capable of downloading an updated copy of itself.

It also terminates a number of processes, most of which are related to security and antivirus programs.

For additional information about this threat, see:
Solution
Technical Details

Description created: Aug. 4, 2005 11:06:02 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.