MoMusings

Don’t you just love it when you come down bleary-eyed first thing in the morning and tread in something that the dog has deposited just where it knew you’d find it?

Yes, our faithful Beagle (Bagle) is at it again! More deposits than the local gold mine.

Came down this morning to find yet another new variant of the Bagle e-mail worm in-the-wild’, to make matters worse this one has got lucky. Since then two other new deposits (variants) have been found, what a messy mutt!

What do I mean by ‘lucky’? Simply this, it managed to establish a beach-head and spread effectively before the anti-virus vendors knew about it.

I suppose you’d like some details about this so that you can protect yourself?

OK, here you are:

Arrives via e-mail and it spoofs the sender address:

From: (spoofed)

Subject:(any of the following)

Re Hello

Re Hi

Re Thank you!

Re Thanks

Message body:

)

Attachment:(so far we’ve seen the following, only one is used per e-mail)

PRICE.CPL

PRICE.COM

PRICE.EXE

PRICE.SCR

JOKE.CPL

JOKE.COM

JOKE.EXE

If you are naive enough to run the attachment, the worm will run, drop and install a copy of itself as ‘WINGO.EXE’ adds a key to the registry so that it will always load when the system is restarted. Then is roots around in the system to find new e-mail addresses and domain names to use to send itself to, and to make up the forged from: mail header.

Other than that it also spread via P2P by dropping a copy of itself to directories on the local hard disk that contain the text ‘SHAR’ in them.

This worm also tries to connect to certain Web sites (supposedly to update itself, or to download new components?), and will terminate many antivirus and security-related programs.

Finally, it deletes several registry entries associated with the many Netsky variants.

It runs on Windows 95, 98, ME, NT, 2000, and XP.

Oh, and the attachment is packed using PeX.

Links to write-ups:

TREND are calling it WORM_BAGLE.AT: http://www.trendmicro.com/vinfo/virusen cyclo/default5.asp?VName=WORM_BAGLE.AT

Symantec can’t seem to decide what it is at the moment so they have three pages up
on new Beagle variants (AU, AV and AW)!

http://www.symantec.com/avcenter/venc/data/w32.beagle.au@mm.html

http://www.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html

http://www.symantec.com/avcenter/venc/data/w32.beagle.aw@mm.html

McAfee are calling it W32/Bagle.bb@mm: http://vil.nai.com/vil/content/v_129509.htm

F-Secure are calling it Bagle.at (although they also mnetion two other new variants): http://www.f-secure.com/v-descs/bagle_at.shtml

As you can see there is the usual cornucopia of names from the vendors, one of these days we will get a single naming standard and the vendors will stick to it (yeah, I know I’m a dreamer ).

Other mitigation/detection methods:

My Bayesian
Filtering caught it fine, without being re-trained, also my Bagle SNORT signatures (which detect the manufactured mail headers it creates) also flagged it. So, it was sitting there harmlessly in my malware folder waiting for me to review it.

Oh well, let me get these new Beagle’s mess off my foot, Yuk!