New version of Bagle widely spammed

20 Apr 2005
Virus News

Kaspersky Lab, a leading developer of secure content management solutions, has detected Email-Worm.Win32.Bagle.bn. The author of Bagle has been particularly active since the beginning of 2005, releasing a new malicious program every few days. Kaspersky Lab virus analysts have detected two mass mailings of this latest modification, and believe that this latest modification has been spammed in order to maintain the botnets made up of machines infected by Bagle variants.

Bagle.bn arrives as an attachment to infected messages that have a blank subject field and a blank body. The attachment itself is a ZIP file, 19KB in size, which contains an EXE file called 19_04_2005.exe.

Once the user launches the executable file, the worm creates a text file in the Windows temporary directory. The file name begins with a tilde (~) and ends with a .txt extension; the rest of the name consists of randomly generated characters. Bagle.bn uses the default text editor on the infected machine (usually notepad) to open this file - the user will see the word “Sorry” displayed on screen.

Bagle extracts a file named winshost.exe from its body, saves it to the Windows system directory and registers it in the system registry. This ensures that the worm will be launched each time Windows is rebooted on the infected machine.

Bagle.bn will prevent antivirus solutions from being run by deleting a number of system registry values. It also terminates processes connected with some antivirus and firewall applications, and overwrites the hosts file to prevent users of infected machines from viewing antivirus websites.

Fortunately, Bagle.bn is unable to self-replicate. However, this does not mean that the author will not use spammer technologies to mass mail additional copies of the worm.

Kaspersky Anti-Virus databases have already been updated with detection for Bagle.bn. You can find more information about this malicious program in the Kaspersky Virus Encyclopaedia.