W32/Bagle.b@MM Aka W32.Beagle.B (Symantec) Last Updated 2/17/04 12:48PM

CIT has been notified of a new variant of the W32/bagle@mm email virus called W32/Bagle.b@MM aka W32.Beagle.B (Symantec). W32.Bagle.b@mm is a mass-mailing worm with a remote access component. The worm harvests email addresses from .wab, .txt, .htm, and .html files. By using its own SMTP engine, it emails the worm to all found contacts. The worms opens a backdoor on port 8866 and a notification is sent through HTTP GET request to a PHP script on remote server(s).

• www.strato.de
• www.47df.de/wbboard/1.php
• www.intern.games-ring.de/2.php

When the attachment is run, the virus checks to see if the system date is February 24, 2004 or later. If it is on or after this date, the virus exits. Note the presence of the file au.exe in the WINDOWS SYSTEM directory when the virus executes the standard Windows Sound Recorder program SNDREC32.EXE.

In email form, W32/Bagle.b@MM appears as follows:

From:(address of messages is spoofed)

Subject: ID <6 random characters>... thanks

The message body is the following:

Yours ID <9 random characters>

- - Thank

Attachment:randomly named binary with .EXE file extension (11,264 bytes)

NAI released Dat/SuperDat 4324 to detect and remove W32/Bagle.b@MM. The 4324 DAT/SuperDat is now available.

Symantec released 2/17/2004 virus definitions to detect and remove W32.Beagle.B. Definitions are available through the LiveUpdate feature of Symantec Antivirus.

For more information see:

http://vil.nai.com/vil/content/v_101030.htm from NAI.
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.b@mm.html from Symantec.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.