Bagle Windows worm back in action in new spam campaigns

• Bagle, the Windows worm which was first discovered in 2004, was spotted back in action, in new spam campaigns.
• The new variants come in password-protected .zip files, with the password attached in the body of an email message.

Bagle, also known as Beagle, is a mass-mailing computer worm that targets Windows machines. It was first spotted in January 2004 and has now been observed back in action, in new spam campaigns.

The Bagle worm contains a backdoor that eavesdrops on TCP port 6777, which is hardcoded in the worm’s body. The worm provides attackers with remote access to the infected PC and can be used to download and execute other malware from the internet.

Variants of Bagle worm

• The first strain, Bagle.A, which was spotted on January 18, 2004, did not propagate widely and stopped spreading after January 28, 2004.
• The second strain, Bagle.B, which was first spotted on February 17, 2004, was considered more widespread.
• Since then, plenty of Bagle variants have popped up. The variants come in password-protected .zip files, with the password attached in the body of the email message.
• The Bagle.P variant can infect computers without an attachment file in its email. It is available with an ActiveX control that produces and runs a VBScript on the system, which downloads and executes the worm from one of a list of IP addresses.
• The Bagle.DW and the other variants trick victims into believing that they are being accused of being a phisher and that the attachment holding the worm contains alleged proof of their crime.

Modus Operandi

The Bagle worm comes in an email along with a spoofed sender line. The sender of the email has an email address with similar domain name as the recipient. The email contains the words “Hi” as subject and “Test =)” as the message. This is followed by a series of random characters with “Test, yep.” at the end. The attachment contains a string of random letters with an .exe file extension and the icon appears to mimic the Windows calculator.

After implementation, some variants of Bagle check the system date and may not work if the date goes beyond a specific point (2004.01.28 for Beagle.A). If the date on the infected computer appears to be wrong and displays a date before the time the worm is supposed to stop running, it will then run and continue to spread from that infected computer.

The file bbeagle.exe is added to the Windows system folder. This is followed by the launch of the file calc.exe (the Windows Calculator). The worm now adds the value “d3dupdate.exe = (system folder directory)\bbeagle.exe” to the current user’s registry key that makes programs run automatically after the system is launched. It could also add the values “uid = [Random Value]” and “frun = 1” to the registry key HKEY_CURRENT_USER\Software\Windows98.

A listening thread on the TCP port 6777 is developed by the worm. If the attacker sends a specially formatted message to the worm via this port, the worm will permit an arbitrary file to be downloaded to the Windows system folder.

Bagle also develops a thread for notifying websites about the presence of the worm every 10 minutes. This is followed by scanning for email addresses in files with extensions .wab, .txt, .htm, and .html. The worm does not spread to domains such as @microsoft.com, @hotmail.com, @av, .r1, and @msn.com.