Security

Beware of backdoor planted by Bagle/Beagle worm

The Bagle worm, also known as the Beagle worm, is a mass-mailing threat that has besieged many inboxes and also plants a backdoor on Windows systems. A Trojan attack may be associated with this threat as well. Get the details.


The Bagle worm is the first seriously widespread virus or worm we've seen in quite a while, and the severity of the infection is increasing. Plus, administrators need to be aware of a backdoor that can be planted by this infection.

Details
Bagle, identified as Beagle by Symantec, is a mass-mailing worm that uses e-mail addresses it locates on Web sites to spread itself. The worm will infect any Windows system later than Windows 3.x (Windows 95, Windows 98, Windows 2000, Windows XP, etc.). Non-Windows operating systems are not vulnerable. Bagle/Beagle's subject line simply says "Hi."

Symantec and other security firms report that this infection is widespread in the wild. Symantec increased the rating on this threat from two to three by Wednesday, January 21, 2004. The worm was initially discovered on January 18, 2004.

W32.Beagle.A@mm, as Symantec has officially labeled it, will not activate on a computer with a system date later than January 28, 2004, so this is a short-term attack, but until that date the worm will activate, make changes to the registry, and attempt to mail itself out to other users.

Even more dangerous, this worm also plants a backdoor and may be associated with a new Trojan that infects through the opened port.

Do you have a Bagle/Beagle infection?
For most users it's easy to detect an infection because the worm will launch the Windows calculator when it is activated. This is an attempt to disguise the infection, because the original e-mail will often display the attachment as a calculator icon.

Symantec reports that the infection also opens Port 6777 (or possibly an alternate port), opens up the infected system to a remote attack, and notifies a remote Web site that the system is infected.

It's possible that one or more remote sites are responding to this backdoor by installing Trojan.Mitglieder.C on infected systems, because Symantec says that some users have reported finding this Trojan on systems infected by Bagle/Beagle. The Mitglieder Trojan is a new infection first reported on January 20, 2004. The Trojan functions as a mail forwarder, and appears to be designed to allow the attacker to transmit spam through the infected system.

Because of the backdoor installed by Bagle/Beagle and the possible infection by the Mitglieder Trojan, this should be considered a serious attack on both home and business systems. Virtually any program could be run on the host through the backdoor installed by the worm ,and Mitglieder, if it is associated with the worm, can easily trigger a Denial of Service (DoS) event, as well as open up the system's owner to various legal problems involved with transmitting spam.

These Web sites are in the list of those that Bagle/Beagle attempts to notify when it infects a system:
  • www.elrasshop.de
  • www.it-msc.de
  • www.getyourfree.net
  • www.dmdesign.de
  • 64.176.228.13
  • www.leonzernitsky.com
  • 216.98.136.248
  • 216.98.134.247
  • www.cdromca.com
  • www.kunst-in-templin.de
  • vipweb.ru
  • antol-co.ru
  • www.bags-dostavka.mags.ru
  • www.5x12.ru
  • bose-audio.net
  • www.sttngdata.de
  • wh9.tu-dresden.de
  • www.micronuke.net
  • www.stadthagen.org
  • www.beasty-cars.de
  • www.polohexe.de
  • www.bino88.de
  • www.grefrathpaenz.de
  • www.bhamidy.de
  • www.mystic-vws.de
  • www.auto-hobby-essen.de
  • www.polozicke.de
  • www.twr-music.de
  • www.sc-erbendorf.de
  • www.montania.de
  • www.medi-martin.de
  • vvcgn.de
  • www.ballonfoto.com
  • www.marder-gmbh.de
  • www.dvd-filme.com
  • www.smeangol.com

Fix
Symantec has provided a free removal tool for this infection. Sophos, which also reports this as a widespread worm, has provided these instructions to help remove the infection. Trend Micro, which classifies this worm as widely distributed and having a "high damage potential," also provides detailed instructions on manually removing this infection.

Final word
At the time this article is being published, Bagle/Beagle is still a developing threat so you should check with the various antivirus vendors for the latest information on both Bagle/Beagle and the Mitglieder Trojan spam mailer that may be associated with it.

Editor's Picks

Free Newsletters, In your Inbox