Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Bagle.U | |
Threat Level Damage Distribution |
At a glance
 |
| Common name: | Bagle.U |
| Technical name: | W32/Bagle.U.worm |
| Threat level: | High |
| Type: | Worm |
| Effects: | It creates a backdoor that opens TCP port 4751, and notifies its author that the computer can be accessed through it. It opens the Windows game Hearts, if it is installed. It stops functioning after January 1, 2005. |
| Affected platforms: | Windows 2003/XP/2000/NT/ME/98/95 |
| First detected on: | March 26, 2004 |
| Detection updated on: | June 15, 2006 |
| Statistics | No |
Proactive protection: | Yes, using TruPrevent Technologies |
| Repair utility: | Panda QuickRemover |
Brief Description | |
Bagle.U is a worm that spreads via e-mail in a message with no subject and no body, and an attached file with a variable file name, but which always has an EXE extension. Bagle.U contains a backdoor, which opens the TCP port 4751. It attempts to connect to a web page that hosts a PHP script. By doing this, Bagle.U notifies its author that the affected computer can be accessed through the port mentioned above. Once it is run, Bagle.U opens the Windows game Hearts, if it is installed in the affected computer. This game is usually installed with Windows operating systems. This worm only runs if the system date is January 1, 2005 or previous. After this date, Bagle.U stops functioning. |
Visible Symptoms | |
Bagle.U is easy to recognize when it reaches the computer, as the attached file has the following icon: 
In addition, Bagle.U opens the Windows game Hearts, if it is installed in the affected computer. This game is usually installed with Windows operating systems. |
Tech details
Effects |
| Bagle.U carries out the following actions: |
It creates a backdoor that opens the TCP port 4751, and listens to it.
It downloads an update of itself (A.EXE file) from the Internet through the opened port.
It checks for an available Internet connection every two seconds. If successful, it attempts to connect to a web page that hosts a PHP script:
http://www.werde.de/5.php
By doing this, Bagle.U notifies its author that the affected computer can be accessed through the opened port. If it is unable to send this notification, it retries every 100,000 seconds.
This worm only runs if the system date is January 1, 2005 or previous. After this date, Bagle.U stops functioning.
It opens the Windows game Hearts, if it is installed in the affected computer. This game is usually installed with Windows operating systems.
Infection strategy
Bagle.U creates the following files:
GIGABIT.EXE in the Windows system directory. This file is a copy of the worm. If Bagle.U is run from other file than this, it opens the Windows game Hearts.
A.BAT. When this batch file is run, it deletes the worm.
A.EXE in the Windows directory. This file is downloaded from the Internet through the opened port.
Bagle.U creates the following entries in the Windows Registry:
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ Current Version \Run
Gigabit.exe = %sysdir%\ gigabit.exe
where %sysdir% is the Windows system directory.
By creating this entry, Bagle.U ensures that it is run whenever Windows is started. - HKEY_CURRENT_USER\ SOFTWARE\ Windows2004
gsed = %random%
where %random% is a random value, which will be used during the execution of the worm. - HKEY_CURRENT_USER\ Software\ Windows2004
frn = 1
This entry indicates that Bagle.U has been currently run for the first time.
Means of transmission
Bagle.U spreads via e-mail. It follows the routine below:
It reaches the computer in an e-mail message with the following characteristics:
Sender:
Bagle.U spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.
Subject: it is blank.
Message: it is blank.
Attachments:
It has an attached file with a variable file name, but which always has an
EXE extension.
This attached file has the following icon:
The computer is affected when the attached file is run.
Bagle.U searches for e-mail addresses in files that have the following extensions: ADB, ASP, CFG, CGI, DBX, DHTM, EML, HTM, JSP, MBX, MDX, MHT, MMF, MSG, NCH, ODS, OFT, PHP, SHT, SHTM, STM, TBB, TXT, UIN, WAB, WSH, XLS and XML.
It looks for this files in all the drives of the affected computer, excepting floppy drives, CD-ROMs and other removable media.
It sends itself out to all the addresses it has gathered using its own SMTP engine, excepting those which belong to the mail domains @microsoft and @avp.
It sends a message every five seconds.
Further Details
Bagle.U is written in the programming language Visual C. This worm is 8,208 bytes in size when it is compressed with FSG, and approx. 50 Kbytes once it is decompressed.
