A new version of the Internet worm Bagle causes a global outbreak

17 Feb 2004
Virus News

Kaspersky Lab has detected I-Worm.Bagle.b, a new modification of the notorious Internet worm Bagle. To date, several hundred users throughout the world have sent notification of messages infected by the worm. A conservative estimate of the number of infected messages in global mail traffic would be over 20000, and the number is steadily rising. This indicates that the worm is significantly less widespread than the infamous Mydoom.a. However, prior to the appearance of Mydoom.a, the most widespread worm of 2004 was Bagle.a, the previous version of the current worm. The new version of I-Worm.Bagle is similar to its predecessor in many ways. The malicious program spreads via email as an infected file attached to messages. The worm is an executable Windows file of approximately 11KB. The message header reads 'ID x:thanks' and the message body reads 'Yours ID x:Thank', with x in both cases being a random string of characters. Once launched, the worm copies itself to the Windows system directory and registers itself in the system registry auto-run key. In order to confuse the user, the worm also launches Sound Recorder (sndrec32.exe), a standard Windows utility. Following this, Bagle.b attempts to establish a connection with a number of remote sites which are in some way connected with the Trojan proxy server TrojanProxy.Win32.Mitglieder. At the moment, all links to Internet resources where Mitglieder can be downloaded have been deleted, which means that I-Worm.Bagle.b is unable to utilitize this method to increase the speed at which it propagates. However, the most dangerous threat to infected computers is the Trojan component in the body of the worm. This opens port 8866 on the victim computer, and then monitors port activity. Consequently, the computer is then open for the author of the worm to execute commands or download files to the victim machine. Just like its predecessor, I-Worm.Bagle.b uses a procedure standard for this type of malicious code to propagate. It scans the file system of the victim computer for files with the extensions wab, txt, htm, html and r1, and then sends itself to all email addresses found in these files. The worm uses its own SMTP server to send messages. The activity of this particular malicious program is time-limited, as the worm is programmed to cease propagating after 25th February 2004. This may be a sign that a new version of Bagle is being written, which will appear after the date shown above. Protection against I-Worm.Bagle.b has already been added to Kaspersky Anti-Virus databases. A more detailed description can be found in the Virus Encyclopaedia.