(Aliases:W32/Bagle.b@MM,
W32.Alua@mm)
Marlow, UK. 18th January 2004 - Trend Micro (TSE: 4704, NASDAQ: TMIC), a leader in network antivirus and Internet content security software and services, today warned computer users of a new variant of the Bagle worm, Worm_Bagle.B. Trend Micro(tm) first received reports of this mass-mailer, memory resident worm in France. Reports have also been received from Germany, USA and Chile, leading to the declaration of a medium-risk alert at 14h46 GMT. Since this time, reports have also been received from Spain and Sweden.
This memory-resident worm propagates by mass-mailing copies of itself using SMTP (Simple Mail Transfer Protocol), or via port 8866, possibly as a backdoor. (Variant Bagle_A used the well-known IRC port, 6777). 8866 is usually an open port on some firewalls, and has some reference to the 'Ultima Online messenger service'. Trend Micro is still analysing exactly what the backdoor port accepts as commands. However, it would be safe to assume it acts similar to previous malware backdoor profiles, in that it provides the function of retrieving various computer information, confidential data, downloading and executing and even updating.
The email message it sends out contains the following details, gathering addresses from infected machines, and spoofing email addresses. It arrives as an executable (.EXE), and appears as the following:
Subject: ID %random% ... thanks
From: <random letters>@<spoofed domain>
Message body: Yours ID <random>
--
Thank
Attachment: <random>.exe
(Note: %Random% is composed of random letters.) So, despite continuous warnings to computer users, it would seem that many are still not aware of the dangers of opening such a file, especially as the icon is an MS-DOS prompt icon.
Once the file is dropped, it disguises itself as the Windows Sound Recorder icon in the Windows System directory. It will also attempt to launch the 'real' Windows Sound Recorder application to mask its activities (in contrast BAGLE.A attempts to launch the Calculator program).
Similar to the .A variant, BAGLE.B attempts to connect to a list of compromised websites and webboards that serve the page "1.PHP", the only difference being that it now also checks "2.PHP"
All of the compromised sites appear to be in Germany (DE). Interestingly, one of the websites that BAGLE.B connects to appears to be a gaming-ring site (http://intern.games-ring.de), possibly suggesting that the author is an avid online gamer for Ultima Online.
The worm will not run on systems dated from 25th February 2004, and is programmed to cease on this date.
Jamz Yanenza, Senior Antivirus Consultant, Trend Micro says, "BAGLE.A was found on the 18th-January and had a kill-date on the 28th.That is a 10-day attack period. BAGLE.B on the other hand has its own kill-date set for 25th-February. Although the alert was today, about 8-days before kill-date, this malware took some time to be noticed and was probably also released on the 15th-February originally and gained momentum only today. Similar to the numerous SOBIG and MYDOOM variants, this appears to be common idea for current worm authors. Given the similar way that these different malware families get delivered it appears that it is a group effort collaborating with each other on release.
There are many theories on the backdoor ports, and at this stage it is difficult to determine the exact intention, as a compromised system can be used to do most anything - from spam relay, data theft, remote control, etc."
This malware runs on Windows 95, 98, ME, NT, 2000 and XP. The overall size of the new variant is also smaller than the original: Worm_Bagle.A (15,872 Bytes) vs. Worm_Bagle.B (11,264 Bytes).
The original variant (Worm_Bagle.A) caused approx. 31,000 infections according to WTC (Trend Micro's online virus tracking centre. As of 9:42 am PST (Feb. 17th), we have 8 reported end-user infections. This number is expected to climb over the next few days.
Trend Micro customers should download pattern file 767, customers of Outbreak Prevention Services should download OPP 78 to ensure their systems are protected against this latest threat. Other users should use Trend Micro's free online virus scanner, Housecall, which can be found at http://housecall.trendmicro.com/ For latest information, please visit http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.B
Please Note: Details are correct at time of distribution.
About Trend Micro
Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has its European headquarters in Marlow, England, and business units worldwide. Trend Micro products are sold through corporate, value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit: www.trendmicro-europe.com.
# # #
Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners.
For more information please contact:
Anna Wright
EMEA PR Manager
Trend Micro
Tel: +44 (0) 1628 400534
Email: anna_wright@trendmicro.co.uk