Bagle (computer worm)

from Wikipedia, the free encyclopedia

Bagle is a mass e-mail computer worm first discovered on January 18, 2004 . 2006 variants are extremely destructive. Numerous variants with a wide variety of harmful functions are known. Characteristic of the Bagle family, the relatively inconspicuous compromise and exploitation is the target system with very efficient dissemination by the pyramid scheme .

Infection, Symptoms, and Spread

Bagle infects all Windows operating systems by manually executing an email file attachment, usually an .exe file with a randomly generated file name.

The worm first deactivates existing security systems such as virus scanners and personal firewall , then copies "bbeagle.exe" into the system directory and opens port TCP / 6777.

In order to spread the word, Bagle collects email addresses and the like. a. from the following file formats on the victim PC and sends itself to the addressees found. It uses its own SMTP routine over port 25 for this. 

* .wab
* .txt
* .htm
* .html

In addition to the consumption of resources on the PC and in the network, there is a risk of reputation damage, as Bagle often sends fake e-mails to its own private or business contacts in the address book.

File names and the ports used are very different due to the large number of variants. Some variants also have peer-to-peer and / or Trojan horse characteristics. Additional code may also be downloaded from various websites. The current versions from 2006 also delete keys in the Windows registry that are necessary for the automatic start of certain anti-virus or security software. The 2006 variants are designed to exclude any possibility of removing the worm. The worm does this as follows:

1. The option to boot up in safe mode to remove the virus is switched off by deleting the registry (blue screen).

2. All virus scanners are blocked and switched off.

3. The CPU utilization is constantly kept at 100%. (Work only possible in the task manager)

4. The Internet connection is removed so that no measures against this virus can be taken from this side either.

The worm disguises itself with the following files: hldrrr.exe, hidr.exe, srosa.sys and creates invisible folders ( rootkit ). As soon as a folder is found and deleted with a rootkit tool, it creates new ones. In addition, the hldrrr.exe file is copied to these various hidden folders as soon as an attempt is made to delete them. Since it is hardly possible to find all the hldrrr.exe worms with virus programs at the same time, restoring the system is almost impossible.

supporting documents

  1. Trend Micro: WORM_BAGLE.EN - Technical details . June 19, 2007.

Web links