How to Stop the Spread of Bagel Virus

Jan. 22, 2004 -- Bagle? What's a Bagle? Baby Boomer New Yorkers may remember the Tastee Cream Cheese commercial of the '70s, but this particular bagle isn't tasty and won't be any better with cream cheese; W32/Bagle-mm is our top threat this week.

Discovered on Jan 18, W32/Bagle-mm is an easy to recognize, mass mailing virus that is distributed by an executable e-mail attachment.

As the first new important worm of the New Year, Bagle appears to have originated in Australia and is set to live only until Jan. 28. Despite its short life cycle, it is distributed widely enough that antivirus vendor, Panda Software, has tagged Bagle an epidemic.

When executed, Bagle will run the Windows Calculator (calc.exe) program, send itself to every e-mail address it can find on a victim's machine, and attempt connect with a script on a set of pre-defined web sites. According to MessageLabs, Bagle also attempts to download a Trojan proxy component called Backdoor-CBJ.

The e-mail message arrives appearing to be a test message from someone. The subject is a simple "Hi", and message "Test=) [random characters] – Test, yep.".

The attachment is a randomly named EXE file. The attachment has the Windows Calculator icon, and will launch the Calc.exe program to fool the user into thinking that's all they got.

When a user executes Bagle's attachment, the virus puts copies of itself called "bbeagle.exe" into the Windows System folders and adds the following registry keys to allow it to run when the system is started:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, "d3update.exe" = "%system%\bbeagle.exe"

It also creates two more registry keys:

HKEY_CURRENT_USER\Software\Windows98, "uid" = "[Random Value]" HKEY_CURRENT_USER\Software\Windows98, "frun" = "1"

Once running, Bagle will attempt to connect with a PHP script on a series of internally hard-coded web sites. The virus also listens on port 6777 for a malicious user to connect. Antivirus vendor McAfee has completed an analysis of Bagle that includes a list of the Web sites the virus attempts to connect with (http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100965).

The virus also scans .TXT, .HTM, .HTML, and .WAB files on the victim's hard disk looking for email addresses to send copies of itself. Interestingly, it ignores e-mail addresses that contain @hotmail.com, @msn.com, @microsoft, and @.avp, possibly to avoid detection (maybe Microsoft's virus writer bounty has some effect). The "From" address field is spoofed, and may appear to be from someone you know.

Fact File

Name: W32/Bagle.A-mm, Bagle, W32/Beagle.A, I-Worm.Bagle, W32.Beagle.A@mm, W32/Bagle-A, W32/Bagle.A@mm, WORM_BAGLE.A Infection type: Virus/Worm, Windows 32 executable. Systems Affected: Windows 95/98/Me/NT/2000/2003/XP Systems not Affected: DOS, Unix, Macintosh, Linux or OS/2 Email subject: Hi Body of Mail: Test=) [random characters] Test, yep. File Attachment name: Random filename with .EXE extension Life cycle: Bagle will not activate after Jan. 28.

Removing W32/Bagle-mm

The easiest way to remove W32/Bagle-mm is to run your antivirus (AV) with the latest definition files. Most AV vendors have a new definition file as of Jan 19th.

You can also download a special Bagle removal tool from F-secure (http://www.f-secure.com/v-descs/bagle.shtml), use TrendMicro's Housecall (http://housecall.trendmicro.com/) or McAfee's Stinger (http://vil.nai.com/vil/stinger/).

Manually Removing Bagle

Removing Bagle manually is reasonably simple if you are familiar with editing the Windows Registry. You can use the following steps.

Step 1. Disable System Restore if you're using Windows Me/XP. When you make changes to your system, Windows does a restoration checkpoint. If it does this while the system is infected, it may come back to re-infect later.

For more information on disabling System Restore in Windows XP: http://support.microsoft.com/default.aspx?kbid=283073 For more information on disabling System Restore in Windows XP Windows ME: http://support.microsoft.com/default.aspx?kbid=264887.

Step 2. Restart the computer in Safe Mode if you're on Windows 9x/Me. In Windows XP/2000, open the Windows Task Manager (alt+ctr+del), and stop the process bbeagle.exe. Since Bagle creates running processes, and Windows doesn't allow you to delete files connected with running processes, this is necessary.

Step 3. Delete the file bbeagle.exe from your Windows System folder (C:\Windows\System in Windows 9x/Me, C:\Windows\System32 in Windows XP, C:\Winnt\System32 in Windows NT/2000)

Step 4. Make a backup of the registry before you edit.

For more information on how to backup the registry in Windows 95/98/ME: http://support.microsoft.com/default.aspx?scid=kb;en-us;322754 For more information on how to backup the registry in Windows XP/2000/2003: http://support.microsoft.com/default.aspx?scid=kb;en-us;322756

Delete the Run entry associated with Bagle from the registry.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, "d3update.exe" = "%system%\bbeagle.exe"

Find the following registry entries. Note the file name for the "uid" registry entry, and then delete the two listed below. You'll need to know the random file name to go back and remove the file:

HKEY_CURRENT_USER\Software\Windows98, "uid" = "[Random Value]" HKEY_CURRENT_USER\Software\Windows98, "frun" = "1"

Step 5. Delete the randomly named file found in the registry value from the Windows System folder.

Step 6. Re-enable System Restore, reboot machine.

Additional Resources

For more information, see your antivirus vendor's site:

Sophos: http://www.sophos.com/virusinfo/analyses/w32baglea.html McAfee: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100965 Symantec: http://www.sarc.com/avcenter/venc/data/w32.beagle.a@mm.html Panda: http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=43789&sind=0 F-Secure: http://www.f-secure.com/v-descs/bagle.shtml Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.A Kaspersky: http://www.viruslist.com/eng/alert.html?id=783050