How to Stop the Spread of Bagel Virus
Jan. 22 -- Bagle? What's a Bagle? Baby Boomer New Yorkers may remember the Tastee Cream Cheese commercial of the '70s, but this particular bagle isn't tasty and won't be any better with cream cheese; W32/Bagle-mm is our top threat this week.
Discovered on Jan 18, W32/Bagle-mm is an easy to recognize, mass mailing virus that is distributed by an executable e-mail attachment.
As the first new important worm of the New Year, Bagle appears to have originated in Australia and is set to live only until Jan. 28. Despite its short life cycle, it is distributed widely enough that antivirus vendor, Panda Software, has tagged Bagle an epidemic.
When executed, Bagle will run the Windows Calculator (calc.exe) program, send itself to every e-mail address it can find on a victim's machine, and attempt connect with a script on a set of pre-defined web sites. According to MessageLabs, Bagle also attempts to download a Trojan proxy component called Backdoor-CBJ.
The e-mail message arrives appearing to be a test message from someone. The subject is a simple "Hi", and message "Test=) [random characters] – Test, yep.".
The attachment is a randomly named EXE file. The attachment has the Windows Calculator icon, and will launch the Calc.exe program to fool the user into thinking that's all they got.
When a user executes Bagle's attachment, the virus puts copies of itself called "bbeagle.exe" into the Windows System folders and adds the following registry keys to allow it to run when the system is started:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, "d3update.exe" = "%system%\bbeagle.exe"
It also creates two more registry keys:
HKEY_CURRENT_USER\Software\Windows98, "uid" = "[Random Value]"HKEY_CURRENT_USER\Software\Windows98, "frun" = "1"
Once running, Bagle will attempt to connect with a PHP script on a series of internally hard-coded web sites. The virus also listens on port 6777 for a malicious user to connect. Antivirus vendor McAfee has completed an analysis of Bagle that includes a list of the Web sites the virus attempts to connect with (http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100965).