CERT-In Incident Note CIIN-2004-01

W32.Beagle.A@mm worm

Original Issue Date: January 20, 2004

Severity : Medium

Type : Worm

Affected System Software:

• Microsoft Windows 2000
• Microsoft Windows XP
• Microsoft Windows NT 4.0
• Microsoft Windows 9X
• Microsoft Windows ME
• Microsoft Outlook/Express

Overview

The worm propagates via email, constructing outgoing messages with its own SMTP engine. The sender email is fictitious

Impact

• Heavy increase in e-mail messages from infected system
• Infected system may act as launch pad for future attacks

Description

The worm also known as 'Bagle' is an email-borne malicious program with a specially crafted attachment with a .exe extension. The file name is random in nature. The email messages appear from a fictitious address. It checks the current system date, terminating if the system date is January 28, 2004 or later. It opens and listens to port 6777 and allows remote users to access and manipulate to infected systems.

Subject: Hi

Body:

Test =)
(random characters)
--
Test, yep.

Attachment: (random filename) 15,872 bytes

example:

dfghs.exe

1. Upon execution, the worm checks the system date, if the date is later than 28th Jan 2004 it does not execute itself.
2. It adds a copy of itself in the system folder using the following file name " bbeagle.exe "
3. It then creates the following registry entries so that it runs every time Windows starts:
   
   HKEY_CURRENT_USER\Software\Microsoft\Windows\
   CurrentVersion\Rund3dupdate.exe=System%\bbeagle.exe"
   
   HKEY_USERS\%SystemInfo%\Software\Microsoft\Windows\C
   urrentVersion\Rund3dupdate.exe="%System%\bbeagle.exe"
   
   
4. The worm may also create the following registry entries to keep track of its activities:
   
   HKEY_USERS\%SystemInfo%\Software\Windows98 Uid = <Numeric Value>
   
   HKEY_USERS\%SystemInfo%\Software\Windows98 Frun = %SystemInfo%
   
   
5. Upon initiation it executes calc.exe and works in the background. The icon of the virus is as shown below.
   
   
   If the user terminates the Windows Calculator application, this worm still continues to execute, as it is actually a separate program.
   
   
6. This worm opens and listens to port 6777 on the infected machine to receive remote commands. It allows a malicious user to take control of the infected system, compromising network and local security.
7. This malware uses SMTP in order to perform its mailing routine.
   
   To propagate via email, it searches for and acquires email addresses from files with the following extensions:
   
   .  WAB
   .  TXT
   .  HTM
   .  HTML
   
   It avoids email addresses that contain the following strings:
   
   .  .r1
   .  @hotmail.com
   .  @msn.com
   .  @microsoft
   .  @avp
   
   
8. The worm tries to access some websites to check for updates.

Symptoms

• System listening on TCP port 6777
• Presence of the file bbeagle.exe in the WINDOWS SYSTEM directory

Removal Instructions

1. Win9x/ME - Reboot the system into Safe Mode and terminate the process BBEAGLE.EXE
2. Delete BBEAGLE.EXE from windows system directory
3. Edit the registry and delete the following
   
   HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run
   d3dupdate.exe = "%System%\bbeagle.exe"
   
   HKEY_USERS\%SystemInfo%\Software\Microsoft\Windows\
   CurrentVersion\Rund3dupdate.exe = "%System%\bbeagle.exe"
   
   HKEY_USERS\%SystemInfo%\Software\Windows98 Uid = <Numeric Value>
   
   HKEY_USERS\%SystemInfo%\Software\Windows98 Frun = %SystemInfo%
   
   
4. Reboot the system

Solution

• Always run and maintain an anti-virus software
• Do not run programs of unknown origin

References

Antivirus Vendors

• McAfee
• Trend Micro
• Symantec
• F-Secure

Disclaimer
The information provided here-in is on "as is" basis, without warranty of any kind.

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003