bagle.a - CNET Reviews

- home
- reviews
- news
- downloads
- cnet tv
On MovieTome: See the villain of IRON MAN 2!
- log in
- join CNET
- welcome,
- my profile
- log out

Dell Alienware M17x Gaming Laptop

Bagle.a prevention and cure
By Robert Vamosi

Mass-mailing Bagle worm is building a spam network

(1/20/04)

Despite flaws in its programming, a new mass-mailing e-mail worm is spreading across Asia and the Internet. Bagle (Bagle.a@mm) looks like yet another worm designed by spammers, much like Sobig and MiMail. It appears to be building a network of vulnerable computers from which it can later launch anonymous e-mail. When executed, Bagle attempts to e-mail every e-mail address it finds on an infected computer; it will also attempt to download a Trojan horse from a remote site. Bagle appears to be the first of a new family of viruses. Like Sobig, it contains a built-in expiration date; in this case, it's January 28, 2004. Because Bagle spreads via e-mail and could install a Trojan horse program, this worm rates a 7 on the CNET Virus Meter.

How it works
Bagle arrives as an e-mail message with the subject line "Hi." It appears to be sent from a random e-mail address. The body text reads "Test =)" followed by random letters. The attached file, too, uses random letters followed by an .exe extension. The attached file may use the Windows calculator icon.

When executed, the worm will collect e-mail addresses from address books, text, and HTML files. The worm will not, however, contact addresses using the following domains:

.r1
@hotmail.com
@msn.com
@microsoft
@avp

After January 28, 2004, Bagle will not execute.

According to iDefense, Bagle will make the following changes to the system Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run d3update.exe=WINDOWS SYSTEM DIRECTORY\bbeagle.exe

HKU\%SystemInfo%\Software\Microsoft\Windows\CurrentVersion\Run d3update.exe=WINDOWS SYSTEM DIRECTORY\bbeagle.exe

HKCU\Software\Windows98 frun=1 uid=RANDOMIZED VALUE

Bagle also attempts to download a Trojan horse from a remote site. To do so, it attempts to communicate on port 6777. Desktop firewalls should be able to detect and stop this activity. In theory, this downloaded Trojan would allow the virus author at some future date to update or modify the worm. At this time, however, all the sites Bagle attempts to contact appear to be inactive.

Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, MessageLabs, Norman, Sophos, Symantec, and Trend Micro.

Read the latest News.com coverage here.

Reviews & advice: Site map; Editorial policies; Meet the editors; How we test; Forums; Internet speed test

Popular topics: Apple iPhone; Apple iPod; Cell phones; Dell; GPS; LCD TV

CNET sites: CNET Site map; CNET TV; Downloads; News; Reviews; Shopper.com

More information: Newsletters; CNET Mobile; Customer Help Center; RSS; CNET Widgets; About CNET

Privacy policy
Terms of use
Visit other CBS Interactive sites:

#networkSites {display:none;}BNET | CHOW | CNET.com | CNET Channel | GameSpot | International Media | mySimon | Search.com | TechRepublic | TV.com | ZDNet