Trend Micro Warns Corporate and
Home Computer Users of Worm_Bagle.B.
Memory resident mass mailer worm classed
as Medium Risk.
Marlow, UK. 18th February 2004 - Trend
Micro (TSE: 4704, NASDAQ: TMIC), a leader in network antivirus and Internet content
security software and services, today warned computer users of a new variant of the Bagle
worm, Worm_Bagle.B. Trend Micro(tm) first received reports of this mass-mailer, memory
resident worm in France. Reports have also been received from Germany, USA and Chile,
leading to the declaration of a medium-risk alert at 14h46 GMT. Since this time, reports
have also been received from Spain and Sweden.
This memory-resident worm propagates by
mass-mailing copies of itself using SMTP (Simple Mail Transfer Protocol), or via port
8866, possibly as a backdoor. (Variant Bagle_A used the well-known IRC port, 6777). 8866
is usually an open port on some firewalls, and has some reference to the 'Ultima Online
messenger service'. Trend Micro is still analysing exactly what the backdoor port accepts
as commands. However, it would be safe to assume it acts similar to previous malware
backdoor profiles, in that it provides the function of retrieving various computer
information, confidential data, downloading and executing and even updating.
The email message it sends out contains
the following details, gathering addresses from infected machines, and spoofing email
addresses. It arrives as an executable (.EXE), and appears as the following:
Subject: ID %random% ... thanks
From: <random letters>@<spoofed
Message body: Yours ID <random>
(Note: %Random% is composed of random
So, despite continuous warnings to
computer users, it would seem that many are still not aware of the dangers of opening such
a file, especially as the icon is an MS-DOS prompt icon.
Once the file is dropped, it disguises
itself as the Windows Sound Recorder icon in the Windows System directory. It will also
attempt to launch the 'real' Windows Sound Recorder application to mask its activities (in
contrast BAGLE.A attempts to launch the Calculator program).
Similar to the .A variant, BAGLE.B
attempts to connect to a list of compromised websites and webboards that serve the page
"1.PHP", the only difference being that it now also checks "2.PHP"
All of the compromised sites appear to be
in Germany (DE). Interestingly, one of the websites that BAGLE.B connects to appears to be
a gaming-ring site (http://intern.games-ring.de), possibly suggesting that the author is
an avid online gamer for Ultima Online.
The worm will not run on systems dated
from 25th February 2004, and is programmed to cease on this date.
Jamz Yanenza, Senior Antivirus
Consultant, Trend Micro says, "BAGLE.A was found on the 18th January and had a
kill-date on the 28th.That is a 10-day attack period. BAGLE.B on the other hand has its
own kill-date set for 25th February. Although the alert was today, about 8-days before
kill-date, this malware took some time to be noticed and was probably also released on the
15th February originally and gained momentum only today. Similar to the numerous SOBIG and
MYDOOM variants, this appears to be common idea for current worm authors. Given the
similar way that these different malware families get delivered it appears that it is a
group effort collaborating with each other on release.
There are many theories on the backdoor
ports, and at this stage it is difficult to determine the exact intention, as a
compromised system can be used to do most anything - from spam relay, data theft, remote
This malware runs on Windows 95, 98, ME,
NT, 2000 and XP. The overall size of the new variant is also smaller than the original:
Worm_Bagle.A (15,872 Bytes) vs. Worm_Bagle.B (11,264 Bytes).
The original variant (Worm_Bagle.A)
caused approx. 31,000 infections according to WTC (Trend Micro's online virus tracking
centre. As of 9:42 am PST (Feb. 17th), we have 8 reported end-user infections. This number
is expected to climb over the next few days.
Trend Micro customers should download
pattern file 767, customers of Outbreak Prevention Services should download OPP 78 to
ensure their systems are protected against this latest threat. Other users should use
Trend Micro's free online virus scanner, Housecall, which can be found at http://housecall.trendmicro.com/
For latest information, please visit http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.B
Please Note: Details are correct at time
About Trend Micro
Trend Micro is a leader in network
antivirus and Internet content security software and services. The Tokyo-based corporation
has its European headquarters in Marlow, England, and business units worldwide. Trend
Micro products are sold through corporate, value-added resellers and managed service
providers. For additional information and evaluation copies of all Trend Micro products,
About Trend Micro
Trend Micro, Inc. is a leader in network antivirus and Internet content security
software and services. The Tokyo-based corporation has its North American headquarters in
Cupertino, CA and business units worldwide. Trend Micro products are sold directly, and
are also available through corporate resellers and value-added resellers. For additional
information and evaluation copies of all Trend Micro products, visit www.trendmicro.com or call (800) 228-5651 in North
Return to main menu