Bagle (computer worm)

Bagle is a 18 January 2004, for the first time discovered mass e- mail computer worm. Variations from 2006 are extremely destructive. Numerous versions with various malicious functions are known. Characteristic of the Bagle family is the relatively inconspicuous Compromise and utilization of the target system with very efficient distribution after the Ponzi scheme.

Infection, symptoms, and spread

Bagle infected all Windows operating systems via manually running an e -mail file appendix, usually a. Exe file with randomly generated file name.

The worm initially disabled existing security systems such as virus scanners and Personal Firewall, then copied " bbeagle.exe " into the system directory and opens the port TCP/6777.

To disseminate to collect Bagle e- mail addresses, inter alia, from the following file formats on the victims PC and sends itself to the addresses found. It uses its own SMTP routine on port 25

*. Wab *. Txt *. Htm *. Html In addition to the consumption of resources on the PC and the network is the risk of reputation damage, as Bagle fake emails often sent to their own personal or business contacts in the address book.

File names and the ports used are very different due to the variety of options we offer. Some variants also have peer- to-peer and / or Trojan characteristics. Furthermore, additional code from different websites may be downloaded. The current versions of 2006 also delete key in the Windows registry database that are necessary for the automatic startup of certain anti-virus or security software. The variants from 2006 to rule out all possibilities to remove the worm. The worm is this, proceed as follows:

1 The ability to boot up in safe mode to remove the virus is switched off via the registry deletion. ( Blue Screen )

2 All virus scanners are blocked off.

3 The CPU usage is constantly maintained at 100 %. (Works only in Task Manager possible)

4 The Internet connection is removed to allow from this side no action against this virus.

The worm disguises itself with the following files: hldrrr.exe, hidr.exe, srosa.sys and does not set visible folder ( rootkit ). Once a folder is associated with a rootkit tool found and deleted, it creates new ones. In addition, the file is copied hldrrr.exe in these different hidden folder when attempting to delete them. Since it is hardly possible with virus programs to find all hldrrr.exe worms at the same time, a restore of the system is almost impossible.

Documents

Sources & links

• Worm circulating W32.Bagle - Heise Security above Bagle
• W32/Bagle @ MM - information from McAfee
• WORM_BAGLE.EN with Trend Micro - functional diagram of a variant of 2006

• Malware