Bagle, also known as Beagle, is a mass-mailing computer worm that targets Windows machines. It was first spotted in January 2004 and has now been observed back in action, in new spam campaigns.
The Bagle worm contains a backdoor that eavesdrops on TCP port 6777, which is hardcoded in the worm’s body. The worm provides attackers with remote access to the infected PC and can be used to download and execute other malware from the internet.
The Bagle worm comes in an email along with a spoofed sender line. The sender of the email has an email address with similar domain name as the recipient. The email contains the words “Hi” as subject and “Test =)” as the message. This is followed by a series of random characters with “Test, yep.” at the end. The attachment contains a string of random letters with an .exe file extension and the icon appears to mimic the Windows calculator.
After implementation, some variants of Bagle check the system date and may not work if the date goes beyond a specific point (2004.01.28 for Beagle.A). If the date on the infected computer appears to be wrong and displays a date before the time the worm is supposed to stop running, it will then run and continue to spread from that infected computer.
The file bbeagle.exe is added to the Windows system folder. This is followed by the launch of the file calc.exe (the Windows Calculator). The worm now adds the value “d3dupdate.exe = (system folder directory)\bbeagle.exe” to the current user’s registry key that makes programs run automatically after the system is launched. It could also add the values “uid = [Random Value]” and “frun = 1” to the registry key HKEY_CURRENT_USER\Software\Windows98.
A listening thread on the TCP port 6777 is developed by the worm. If the attacker sends a specially formatted message to the worm via this port, the worm will permit an arbitrary file to be downloaded to the Windows system folder.
Bagle also develops a thread for notifying websites about the presence of the worm every 10 minutes. This is followed by scanning for email addresses in files with extensions .wab, .txt, .htm, and .html. The worm does not spread to domains such as @microsoft.com, @hotmail.com, @av, .r1, and @msn.com.
Publisher