By Robert Vamosi
(March 1, 2004)
Five medium-alert-level variations of the mass-mailing e-mail virus Bagle are currently spreading across the Internet. Bagle variations c through g (w32.bagle.c@mm, w32.bagle.d@mm, w32.bagle.e@mm, w32.bagle.f@mm, w32.bagle.g@mm) all are similar to Bagle.b, with a slight difference introduced to evade antivirus filtering technology. These viruses harvest e-mail addresses, send out copies of themselves, and opens a port, allowing a remote hacker to gain access to the infected PCs. The Bagle viruses infect only Windows PCs; they do not infect Linux, Mac OS, or Unix systems. These viruses will individually self-terminate on dates from March 14 to 25, 2004. Because these variations on Bagle spread via e-mail and open a remote access, they rate a 6 on the CNET/ZDNet Virus Meter.
How it works
The Bagle variations c through g arrive via e-mail. The return address is spoofed and therefore worthless. The subject line includes the letters ID, among other random letters, and the word Thanks. The body contians random phrases. The attached file ends in EXE.
Once these variations are active on an infected computer, they behave similar to the Bagle.b worm, with the following exceptions:
All of the variations attempt to terminate the following system processes:
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
Variations c and d include an attachment that looks like an Excel file. Once active, the virus will open port 2745 to allow remote access to the infected PC.
With variation e, the attachment appears to be a text file. Once active, it adds the file i1ru74n4.exe to the Windows System directory and also opens port 2745.
Variations f and g include passwords to unlock the ZIP file attachments, which display as file folders within the e-mail. This password technique is a trick to circumvent corporate gateway antivirus filters. Once active, variations f and g also add the file i1ru74n4.exe to the Windows System directory, along with the files go54o.exe (a DLL to perform mailing), ii5nj4.exe (a DLL loader), and i1ru54n4.exeopen (a file to be sent via e-mail). In addition to spreading via e-mail, variations f and g will also spread via shared network file. The two variations open port 2745. Variation g will terminate all of the above-mentioned processes except Outpost.exe; instead, it will terminate Outpos1t.exe.
Prevention
Updated antivirus signature files and a firewall should protect PC users from this virus.
Removal
Most antivirus software companies have updated their signature files to include these worms. Updating your antivirus signature files will stop the infection upon contact and in some cases will remove active infections from your system.
Bagle.c
For more information on Bagle.c, see Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, and Trend Micro.
Bagle.d
For more information on Bagle.d, see Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, and Trend Micro.
Bagle.e
For more information on Bagle.e, see Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, and Trend Micro.
Bagle.f
For more information on Bagle.f, see Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, and Trend Micro.
Bagle.g
For more information on Bagle.g, see Computer Associates, F-Secure, McAfee, Sophos, Symantec, and Trend Micro.
