Worm "Bagle"

KAV (this morning) & NOD (a couple of minutes ago) updated their database to detect this worm.
Is this one ITW? Are we protected?

Thanks in advance

I don’t know. What are the descriptions by KAV and NOD?

Here is the KAV description:

I-Worm.Bagle
[ 01/18/2004 17:09 ]
Danger : moderate risk

This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file about 15KB of length. The message sent by the worm looks like that:

From:

random sender

Subject:

Hi

Body:

Test =)

Signature:

Test, yep

Attachment:

random name

Installing
The worm activates from infected email only in case a user clicks on attached file. While installing the worm copies itself to System directory with the name bbeagle.exe and registers that file in system registry auto-run key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
d3dupdate.exe = %system%\bbeagle.exe

Also the worm run “calc.exe” Windows application. The worm attempts to download and execute “TrojanProxy.Win32.Mitglieder” from several remote sities.
Spreading
The worm looks for disk files with following extensions: .wab .txt .htm .html .r1 and scans them for email-like text strings, then sends infected messages to the email addresses found. To send infected messages the worm uses SMTP engin

well,test it,get that virus to your desktop somehow and test does avast capture it. :-X

:o

Chris,

Ah! I see you use Kaspersky.com as a reference. Good source.
The “bagle” worm although low to medium threat, can cause havoc if allowed to contact the remote sites for the download of a worse virus.

The I-worm.bagle as far as I know, has not been classified as an ITW. It is your common, average, “pain in the neck” worm.

One precaution…
if you have a port sniffer or similar installed, see if any program is listening on port 6777. That is the port “bagle” uses waiting for a reply from the remote site where it will try to download a PHP file for execution on your computer.

Avast should detect this worm.
Are you saying that Avast did not? If not, then you wll need to contact Avast Support and obtain permission to send in the file for examination.

Good luck,
techie

Nope, don’t have a sample so I’m unable to test and/or submit it.

I was just wondering if we were protected 'cause in the meanwhile all other vendors issued an update (seems to me this one is causing some trouble).

Best regards

Detection of this worm has been added into the emergency update released this morning under the name Win32:Beagle [Wrm].

Pavel

Hello,

I received this morning a mall containing WORM that Avast! did not detect but that NORTON found :wink:
Event: Virus detected!Nom of the virus:W32.Beagle.A@mm
File: nkpbrogoq.exe

Is normal ?

Afflicted for my English who is very limited :smiley:

Interesting,…

I received an email today with the folowing update:

New iAVS update for avast!4 and avast32 has been released recently.
Related files could be also found on our Internet sites.
Note: detection of Win32:Beagle added

I guess you do not have to worry bout this one anymore,…

As long that you did not open the attachement, there should be no problem i suppose :slight_smile:

greetz

Hehe, thanks !

:smiley:

Just FYI (in case anyone’s infected by this beast), the avast! Virus Cleaner tool can now handle it. So if you need, just download it and it will take care of the rest… 8)

F-Secure updated their database early sunday.

F-Secure Virus Descriptions : Bagle

THIS VIRUS IS RANKED AS LEVEL 1 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 1
NAME: Bagle
ALIAS: I-Worm.Bagle, W32.Beagle.A@mm, WORM_BAGLE.A
SIZE: 15872

Summary

Bagle is a mass-mailing worm that was found on 18th of January, 2004. The worm sends messages with the subject ‘Hi’ and random EXE attachment names. It has been programmed to stop spreading on 28th of January.

And this nasty IS a serious outbreak :o

http://www.messagelabs.com/viruseye/threats/

huge indeed!