Beware of backdoor planted by Bagle/Beagle worm

by John McCormick | Jan 22, 2004 8:00:00 AM

Tags: Cyberthreats, SECURITY, Viruses and worms, Bagle virus, John McCormick, infection, Bagle/Beagle, worm, back door, Symantec Corp., Microsoft Windows

Takeaway: The Bagle worm, also known as the Beagle worm, is a mass-mailing threat that has besieged many inboxes and also plants a backdoor on Windows systems. A Trojan attack may be associated with this threat as well. Get the details.

The Bagle worm is the first seriously widespread virus or worm we've seen in quite a while, and the severity of the infection is increasing. Plus, administrators need to be aware of a backdoor that can be planted by this infection.

Details
Bagle, identified as Beagle by Symantec, is a mass-mailing worm that uses e-mail addresses it locates on Web sites to spread itself. The worm will infect any Windows system later than Windows 3.x (Windows 95, Windows 98, Windows 2000, Windows XP, etc.). Non-Windows operating systems are not vulnerable. Bagle/Beagle's subject line simply says "Hi."

Symantec and other security firms report that this infection is widespread in the wild. Symantec increased the rating on this threat from two to three by Wednesday, January 21, 2004. The worm was initially discovered on January 18, 2004.

W32.Beagle.A@mm, as Symantec has officially labeled it, will not activate on a computer with a system date later than January 28, 2004, so this is a short-term attack, but until that date the worm will activate, make changes to the registry, and attempt to mail itself out to other users.

Even more dangerous, this worm also plants a backdoor and may be associated with a new Trojan that infects through the opened port.

Do you have a Bagle/Beagle infection?
For most users it's easy to detect an infection because the worm will launch the Windows calculator when it is activated. This is an attempt to disguise the infection, because the original e-mail will often display the attachment as a calculator icon.

Symantec reports that the infection also opens Port 6777 (or possibly an alternate port), opens up the infected system to a remote attack, and notifies a remote Web site that the system is infected.

It's possible that one or more remote sites are responding to this backdoor by installing Trojan.Mitglieder.C on infected systems, because Symantec says that some users have reported finding this Trojan on systems infected by Bagle/Beagle. The Mitglieder Trojan is a new infection first reported on January 20, 2004. The Trojan functions as a mail forwarder, and appears to be designed to allow the attacker to transmit spam through the infected system.

Because of the backdoor installed by Bagle/Beagle and the possible infection by the Mitglieder Trojan, this should be considered a serious attack on both home and business systems. Virtually any program could be run on the host through the backdoor installed by the worm ,and Mitglieder, if it is associated with the worm, can easily trigger a Denial of Service (DoS) event, as well as open up the system's owner to various legal problems involved with transmitting spam.

These Web sites are in the list of those that Bagle/Beagle attempts to notify when it infects a system:

• www.elrasshop.de
• www.it-msc.de
• www.getyourfree.net
• www.dmdesign.de
• 64.176.228.13
• www.leonzernitsky.com
• 216.98.136.248
• 216.98.134.247
• www.cdromca.com
• www.kunst-in-templin.de
• vipweb.ru
• antol-co.ru
• www.bags-dostavka.mags.ru
• www.5x12.ru
• bose-audio.net
• www.sttngdata.de
• wh9.tu-dresden.de
• www.micronuke.net
• www.stadthagen.org
• www.beasty-cars.de
• www.polohexe.de
• www.bino88.de
• www.grefrathpaenz.de
• www.bhamidy.de
• www.mystic-vws.de
• www.auto-hobby-essen.de
• www.polozicke.de
• www.twr-music.de
• www.sc-erbendorf.de
• www.montania.de
• www.medi-martin.de
• vvcgn.de
• www.ballonfoto.com
• www.marder-gmbh.de
• www.dvd-filme.com
• www.smeangol.com

Fix
Symantec has provided a free removal tool for this infection. Sophos, which also reports this as a widespread worm, has provided these instructions to help remove the infection. Trend Micro, which classifies this worm as widely distributed and having a "high damage potential," also provides detailed instructions on manually removing this infection.

Final word
At the time this article is being published, Bagle/Beagle is still a developing threat so you should check with the various antivirus vendors for the latest information on both Bagle/Beagle and the Mitglieder Trojan spam mailer that may be associated with it.

Print/View all Posts Comments on this article

When are we going to learn?Jay Garmon  | 01/22/04

Train, train, trainTech Locksmith  | 01/23/04

Ah.. we cover the users' butts for themCactus Pete  | 01/23/04

sounds like an excellent solutionTech Locksmith  | 01/24/04

inform-block-zipbarney.baker@...  | 01/24/04

It is an excellent solution95ironhorse  | 01/26/04

Threaten, Threaten, Threatenthe docman  | 01/23/04

T,T,TTech Locksmith  | 01/24/04

Blocking attachments not feasiblethe docman  | 01/23/04

Not feasibleTech Locksmith  | 01/24/04

Architecture problem.DC_GUY  | 01/23/04

EasySandyM  | 01/26/04

McCormick looks like an Amish hax0rLesDabney67  | 01/23/04

That will helpWoodspike003@...  | 01/23/04

Amish - thanksTech Locksmith  | 01/24/04

Heheheheh....Timbo Zimbabwe  | 01/26/04

Thanks, all true too!Tech Locksmith  | 01/27/04

Disabling System RestoreMWRMWR  | 01/26/04

disabling system restoreeninew@...  | 01/26/04

NoRCOM  | 01/26/04

If you stand in the road, expect to get hit by trucks!Chaz Chance#  | 01/26/04

playing in the roadTech Locksmith  | 01/26/04

was: playing in the roadj.g.  | 01/26/04

mozillaTech Locksmith  | 01/26/04

All PCs must have a virus checker installedmasterbuilder  | 01/26/04

No, not ALL PCs need a virus checker.Guapo  | 01/26/04

You may want to reconsiderRCOM  | 01/26/04

You Twit!Steve Smalley  | 01/26/04

live updateTech Locksmith  | 01/26/04

Day late, dollar short.Chaz Chance#  | 01/26/04

updatesTech Locksmith  | 01/26/04

Something to considerRCOM  | 01/26/04

Huh?burned_out  | 01/26/04

not cut and dryTech Locksmith  | 01/26/04

?RCOM  | 01/26/04

?Tech Locksmith  | 01/27/04

AV is not essential for 'aware' single user netsjpivonka@...  | 01/26/04

Don't kid yourself....Timbo Zimbabwe  | 01/26/04

On the other hand...Tech Locksmith  | 01/27/04

Here's a samplerudder73@...  | 01/27/04