F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Bagle.U

[Summary] | [Disinfection] | [Detailed Description] | [Detection]

THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2

NAME:Bagle.U
ALIAS:I-Worm.Bagle.s, W32/Bagle.U@mm
SIZE:8208

Summary

A new variant of Bagle - Bagle.U was found spreading in the morning on March 26th, 2004. It is a very simple worm variant, it sends itself with an empty subject, no body text and a randomly named attachment.

The attachment has an icon which resembles a clock:

Disinfection

F-Secure provides the special disinfection utility to eliminate Bagle.U worm infection. You can download this utility from our ftp site:

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip

Disinfection instructions can be found here:

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt

System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.

System administrators can download the JAR version from:

http://www.europe.f-secure.com/tools/f-bagle.jar

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-bagle.jar

Back to the Top


Detailed Description

The worm's file is a PE executable 8208 bytes in long, packed with FSG file compressor.

When the worm's file is run, it opens Microsoft Hearts card game (MSHEARTS.EXE file). Then the worm copies itself to Windows System folder as GIGABIT.EXE and creates a startup key for this file in System Registry: 

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "gigabit.exe" = "%winsysdir%\gigabit.exe"

where %winsysdir% represents Windows System folder name.

Before spreading the worm searches for e-mail addresses in files with the following extensions: 

 .wab
 .txt
 .msg
 .htm
 .shtm
 .stm
 .xml
 .dbx
 .mbx
 .mdx
 .eml
 .nch
 .mmf
 .ods
 .cfg
 .asp
 .php
 .pl
 .wsh
 .adb
 .tbb
 .sht
 .xls
 .oft
 .uin
 .cgi
 .mht
 .dhtm
 .jsp

The worm avoids spreading to e-mail addresses, that contain any of the following: 

 @avp.
 @microsoft

The subject of the infected message is empty and there's no body text. The attachment has a random name and EXE extension.

The worm has a backdoor that listens to port 4751. As before, the worm connects to a website (this time it's only one website located in Germany) and reports backdoor's ID and backdoor's port to the worm author.

Back to the Top


Detection

F-Secure Anti-Virus detects Bagle.U worm in the following update:

[FSAV_Database_Version]

Version=2004-03-26_01

Back to the Top


Description: Katrin Tocheva and Mikko Hypponen, March 26th, 2004;

Technical Details: Alexey Podrezov, March 26th, 2004;

Description Updated: Alexey Podrezov, April 1st, 2004;

F-Secure Corporation