Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


BAGLE.E WORM SPREADS IN THE WILD

Virus Name  : W32.Bagle.E@mm

Alias             : I-Worm/Bagle.E, W32/Bagle.E@MM , Bagle.E, W32/Bagle-E,  WORM_BAGLE.E 

Virus type    : Internet Worm

Threat level : Medium

Virus details :

                     Bagle.E is a mass mailing worm, uses  e-mail addresses collected from .wab .txt .htm .html .dbx .mdx .eml .nch .mmf .ods .cfg .asp .php .pl .adb  and .sht files to distribute infected messages. Bagle worm arrives as an e-mail attachment. The infected attachment name is randomly chosen by the worm. Bagle.E worm appeared on 28th February 2004.

The infected mail subject will be one of the following

Price
New Price-list
Hardware devices price-list
Weekly activity report
Daily activity report
Maria
Jenny
Jessica
Registration confirmation
USA government abolishes the capital punishment
Freedom for everyone
Flayers among us
From Hair-cutter
Melissa
Camila
Price-list
Pricelist
Price list
Hello my friend
Hi!
Well... 
Greet the day
The account
Looking for the report
You really love me?
he he
You are dismissed
Accounts department
From me
Monthly incomings summary
The summary
Proclivity to servitude
Ahtung!
The employee

                     When the worm file is executed, it executes notepad application ( notepad.exe ) and copies itself to Windows system folder as "i1ru74n4.exe" in the background. It also drops godo.exe, ii455nj4.exe, and i1ru74n4.exeopen.

                     W32.Beagle.C@mm modifies registry run section to load automatically on the next startup. The registry modification is given below.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"rate.exe"= %SYSTEM%\i1ru74n4.exe

[ By default, %SYSTEM% will be C:\Windows\System in case of Windows 95/98/ME, C:\Winnt\System32 in case of Windows NT/2000 and C:\Windows\System32 in case of Windows XP ]

The worm also creates following additional key

HKEY_CURRENT_USER\SOFTWARE\Software\DateTime24 "frun"
HKEY_CURRENT_USER\SOFTWARE\Software\DateTime24 "uid"
HKEY_CURRENT_USER\SOFTWARE\Software\DateTime24 "port"

                    Bagle.E worm uses its own SMTP engine to send infected messages. The worm tries to terminate security programs in the infected system. Bagle.E worm will not send infected mails to the following e-mail addresses

.ch
@hotmail.com
@msn.com
@microsoft
@avp.
noreply
local
root@
postmaster@

                    Bagle.E contains backdoor abilities and it opens TCP port 2745. It allows hackers to upload files in the infected computer. This variant will not spread after 25th March 2004. Bagle.E tries to download a PHP script ( scr.php ) from the following sites

http://permail.uni-muenster.de
http://www.songtext.net/de
http://www.sportscheck.de

How can I protect my system?

                   Solo has incorporated W32.Beagle.E@mm in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this Worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this Worm?

                   If you are already infected with this Worm, you can remove it from your computer using Solo Antivirus software. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link