Bagle, also known as Beagle is a large family of email worms with many variations. Beagle is notable for the fact that many variants came in password-protected .zip files, with the password usually contained in the body of the message.
Bagle arrives in an email with a spoofed sender line. The alleged sender has an email address with the same domain name as the recepient. The subject of the mail is "Hi" and the message is "Test =)" followed by a string of random characters with "Test, yep." at the end. The attachment name is a string of random letters with a .exe file extension and the icon often looks like the Windows calculator.
After execution, some variants of Bagle will check the system date and may not do anything if the date has gone beyond a certain point (2004.01.28 for Beagle.A). If the date on the infected computer is wrong and displays a date before the time the worm is supposed to stop running, it will run and continue to spread from that computer.
It adds the file bbeagle.exe to the Windows system folder. The file calc.exe (the Windows Calculator) is launched. The worm then adds the value "d3dupdate.exe = (system folder directory)\bbeagle.exe" to the current user's registry key that causes programs to run automatically once the system is started. It may also add the values "uid = [Random Value]" and "frun = 1" to registry key HKEY_CURRENT_USER\Software\Windows98.
The worm creates a listening thread on the TCP port 6777. If a cracker sends a specially formatted message to the worm through this port, the worm will allow an arbitrary file to be downloaded to the Windows system folder. Bagle also creates a thread that notifies a number of website of the presence of the worm every ten minutes.
It then scans for email addresses in files with extensions .wab, .txt, .htm, and .html. It will not send itself to any of the following domains:
The creator of the original Bagle is unknown, but one researcher points to Caesar2k of the group Nuclear Winter Crew, as his creation Titog was similar in that it shut down the same processes as the M variant of Bagle. Also, Caesar2k and other members of the group code in Delphi, the language Beagle was coded in.
Beagle(Bagle was another name but it is common to use Beagle) gets its name from the file bbeagle.exe, which is the filename of the original and some subsequent variants of the Beagle worm drop into the system folder.
- Virus Encyclopedia full name: Worm/Email/Win32/Beagle
- Avast!: Win32:Beagle
- Avira: Worm/Bagle.A
- CA: Win32.Bagle.A
- ClamAV: Worm.Bagle.Gen-dll
- Doctor Web: Win32.HLLM.Beagle.15872
- Eset: Win32/Bagle.A
- F-Prot: W32/Bagle.A@mm
- F-Secure: Email-Worm.Win32.Bagle.fj [AVP]
- Grisoft: I-Worm/Bagle.A
- Kaspersky Lab: Email-Worm.Win32.Bagle.a, I-Worm.Bagle.a
- McAfee: W32/Bagle.a@MM
- Norman: W32/Bagle.A@mm
- Panda: W32/Bagle.A.worm
- RAV: Win32/Bagle.A@mm
- Bitefender: Win32.Bagle.A@mm
- Sophos: W32/Bagle-A
- Symantec: W32.Beagle.A@mm
- Trend Micro: WORM_BAGLE.A
- Vexira: Trojan.DL.Bagle
The Bagle.P variant (may have a different letter with different antivirus scanners) as well as a few others can infect computers without an attachment file in its email. It contains an ActiveX control that creates and runs a VBScript on the system, which downloads and executes the worm from one of a list of IP addresses.
Some variants, including Bagle.DW, attempt to make the victim believe that he/she is being accused of being a criminal spammer or phisher, and that the attachment containing the worm actually contains alleged proof of their crime. The message containing the worm can be one of three possibilities:
Hey pal. Do you know, that your webpage paypalll.comprovides a phishing attack? Open attached file for a proof hmmmm it's quite nice, but I think that cops would be interested in it. So my friend. take the page away and put a Appologize on it. Or the Police will hear from me. Cya my friend
Hi! Just to inform you that your email is used by a spamer who intends to steal bank account information thru a fake site. If you are not involded, I can bring you additionnal information. Check attached file for a proof. If you are, you're a little son of a bitch.
Dude, I found your email from whois info of a web page that was used in spam and illigal activity, please do something or you will be sued and busted. Was very dumb to leave your email, asshole! P.S Attached file is self-exatracting archive with information about your criminal activity.
Gregg Keizer. InformationWeek, "Bagle Bullies Users Into Infections". 2006.03.02
Takayoshi Nakayama. Symantec.com, "W32.Beagle.DW@mm"
Larry Seltzer Eweek.com, "New Bagle Worm Variant Can Run Without Launching Attachment". 2004.03.18
Jay Lyman, TechNewsWorld. Mac News, "Bagle.U Worm Spreads Despite Simplicity". 2004.03.26
Gary Warner. Birmingham Chapter of InfraGard Beagle Evolution: Observations on a Rapidly Changing Virus 2004.04.13