Bagle.a: Prevention and cure
Despite flaws in its programming, a new mass-mailing email worm is spreading across Asia and the Internet. Bagle (Bagle.a@mm) looks like yet another worm designed by spammers, much like Sobig and MiMail. It appears to be building a network of vulnerable computers from which it can later launch anonymous email. When executed, Bagle attempts to email every email address it finds on an infected computer; it will also attempt to download a Trojan horse from a remote site. Bagle appears to be the first of a new family of viruses. Like Sobig, it contains a built-in expiration date; in this case, it's 28 January, 2004. Because Bagle spreads via email and could install a Trojan program, this worm rates a 7/10 on the ZDNet Virus Meter.
How it works
Bagle arrives as an email with the subject line "Hi". It appears to be sent from a random email address. The body text reads "Test =)" followed by random letters. The attached file, too, uses random letters followed by an .exe extension. The attached file may use the Windows calculator icon.
When executed, the worm will collect email addresses from address books, text, and HTML files. The worm will not, however, contact addresses using the following domains:
.r1
@hotmail.com
@msn.com
@microsoft
@avp
After 28 January, 2004, Bagle will not execute.
According to iDefense, Bagle will make the following changes to the system Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run d3update.exe=WINDOWS SYSTEM DIRECTORY\bbeagle.exe
HKU\%SystemInfo%\Software\Microsoft\Windows\CurrentVersion\Run d3update.exe=WINDOWS SYSTEM DIRECTORY\bbeagle.exe
HKCU\Software\Windows98 frun=1 uid=RANDOMIZED VALUE
Bagle also attempts to download a Trojan from a remote site. To do so, it attempts to communicate on port 6777. Desktop firewalls should be able to detect and stop this activity. In theory, this downloaded Trojan would allow the virus author at some future date to update or modify the worm. At this time, however, all the sites Bagle attempts to contact appear to be inactive.
Removal
A few antivirus companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, MessageLabs, Norman, Sophos, Symantec and Trend Micro.