Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Encyclopedia
GetVirusCard
True
0
Effects
Bagle.A does not have any destructive effects. However, it carries out the following actions:
- It is run only if the system date is January 28, 2004 or previous. When the system date exceeds this value, Bagle.A creates and runs a batch file called A.BAT, which deletes both the worm file and itself, in order to leave no trace.
- It runs the Windows Calculator (CALC.EXE file) if it is run from a file other than BBEAGLE.EXE, which the worm creates in the Windows system directory.
- It has code that allows it to download files from the Internet and run them on the affected computer.
- Every ten minutes, Bagle.A attempts to connect to one of the following web pages through the port 6777 in order to update itself and make an inventory of the affected users. The worm identifies itself as beagle_beagle. However, these web pages have been disabled:
http://www.elrasshop.de
http://www.it-msc.de
http://www.getyourfree.net
http://www.dmdesign.de
http://64.176.228.13
http://www.leonzernitsky.com
http://216.98.136.248
http://216.98.134.247
http://www.cdromca.com
http://www.kunst-in-templin.de
http://vipweb.ru
http://antol-co.ru
http://www.bags-dostavka.mags.ru
http://www.5x12.ru
http://bose-audio.net
http://www.sttngdata.de
http://wh9.tu-dresden.de
http://www.micronuke.net
http://www.stadthagen.org
http://www.beasty-cars.de
http://www.polohexe.de
http://www.bino88.de
http://www.grefrathpaenz.de
http://www.bhamidy.de
http://www.mystic-vws.de
http://www.auto-hobby-essen.de
http://www.polozicke.de
http://www.twr-music.de
http://www.sc-erbendorf.de
http://www.montania.de
http://www.medi-martin.de
http://vvcgn.de
http://www.ballonfoto.com
http://www.marder-gmbh.de
http://www.dvd-filme.com
http://www.smeangol.com
Infection strategy
Bagle.A creates the file BBEAGLE.EXE in the Windows system directory. This file is a copy of the worm. If the worm is run from a file other than this, it runs the Windows Calculator (for example, when the user runs the attached file in the e-mail message).
Bagle.A creates the following entries in the Windows Registry:
- HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
d3dupdate.exe = %sysdir%\ bbeagle.exe
where %sysdir% is the Windows system directory.
By creating this entry, Bagle.A ensures that it is run whenever Windows is started. - HKEY_CURRENT_USER\ Software\ Windows98
uid = %random%
where %random% is a random value. - HKEY_CURRENT_USER\ Software\ Windows98
frun = 1
By creating this entry, Bagle.A checks if it has already affected the computer.
Means of transmission
Bagle.A spreads via e-mail. It follows the routine below:
- It reaches the computer in an e-mail message with the following characteristics:
Sender:
Bagle.A falsifies the e-mail address from which it is sent. This may cause confusion. For further information, click here.
Subject:
Hi
Message:
Test =)
%random characters%
--
Test, yep.
Attachments:
The attached file has a name that consists of several random characters and always has an EXE extension. It has the same icon as the Windows Calculator:
- The computer is affected when the attached file is run.
- Bagle.A searches for e-mail addresses in files with the following extensions: WAB, TXT, HTM and HTML.
- The worm carries out MX queries in order to obtain the IP addresses of the mail domains.
- Bagle.A sends itself out to all the collected addresses, except to those which belong to the following domains: hotmail.com, msn.com, microsoft.com and avp.com. It uses its own SMTP engine.
Further Details
Bagle.A is written in the Assembler language. This worm is 15,872 bytes in size.
>