Security

Bagle.ag and Bagle.ai prevention and cure

Double trouble as these latest versions of Bagle spread quickly.

By Robert Vamosi
CNET News.com

The most recent variations of the Bagle worm family appear to be based on code similar to the Bagle.af variation. Bagle.ag (w32.bagle.ag@mm, also known as Beagle.ac and Bagle.ah) and Bagle.ai (w32.bagle.ai@mm, also known as Bagle.ae, Beagle.ag, and Bagle.ah) are mass-mailing worms that vary in length and are packed with the UPX file compressor. They use various subject lines and attached files to spread via e-mail. They also attempt to spread via shared network files. They both try to terminate security apps that may be running on the infected machine and install a backdoor Trojan horse. Additionally, Bagle.ai will attempt to terminate any Netsky virus that may be running on the infected machine. This worm does not affect Linux, Unix, or Mac OS systems. Because Bagle.ag and Bagle.ai spread via e-mail and open a backdoor Trojan, they rate a 6 on the CNET/ZDNet Virus Meter.

How it works
Both versions of Bagle use a different set of subject and body texts, contain their own SMTP engine to send copies of themselves. They also harvest e-mail addresses from infected machines, spoof the e-mail sender's address, and password-protect the attached file. These worms contain a remote access Trojan horse, copy themselves to folders that use the string "shar" in the name, and will attempt to terminate security programs and other computer viruses and worms.

Additionally, Bagle.ai will use mutex names already used by the Netsky in order to prevent further Netsky infections. Bagle.ai will also delete the registry entries for security apps and other viruses such as Netsky.

Bagle.ag creates the following in the Win/System32 folder

sys_xp.exe
sys_xp.exeopen
sys_xp.exeopenopen

Bagle.ai creates the following in the Win/System32 folder:

WinXP.exe
WinXP.exeopen
WinXP.exeopenopen
WinXP.exeopenopenopen
WinXP.exeopenopenopenopen

Bagle.ag opens TCP port 1080 while Bagle.ai opens ports 1080 (TCP) and 1040 (UDP).

Prevention
Variations of the Bagle worm do not rely on a specific Microsoft vulnerability but on simple social engineering. Remember to never open attached e-mail files without first saving to the hard drive and scanning for known viruses. The latest signature file from your antivirus vendor should protect you against these Bagle variations.


More on Bagle
Latest Bagle succeeds on sheer numbers
Bagle keeps on toasting PCs
Security Alert Center

Additionally, the use of a personal firewall will prevent the backdoor Trojan from communicating with the virus author.

Removal
Several antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system.

For more information about Bagle.ag—also known as Beagle.ac (Symantec) and Bagle.ah (F-Secure)—see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.

For more information about Bagle.ai—also known as w32.bagle.ae (Computer Associates), Beagle.ag (Symantec), and Bagle.ah (Trend Micro)—see Central Command, Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.

Editor's Picks

Free Newsletters, In your Inbox