Old-School Bagle Worm Still Ready for Modern Spam Campaigns

Bagle.A and Bagle.B date back to 2004.

The long-running Bagle worm, affecting Microsoft Windows machines, is still out there, a throwback to an earlier time.

Also referred to as Beagle, Bagle contains a backdoor that listens on TCP port 6777 which is hardcoded in the worm’s body. This backdoor component provides remote access to the infected computer and can be used to download and execute other malware from the internet.

The bad code was first seen in January 2004, and since then has morphed to spawn plenty of different variants. Despite having so many malware options to choose from. Comodo, writing in a posting on Monday, noted that the very first two variants of the worm, Bagle.A and Bagel.B,¬†arrive in peoples’ inboxes in password-protected .zip files; the password is given to the victim in the body of the email.

It’s a more simplistic approach than what’s been seen with some later Bagle variants that eschew the attachment tactic.

“The Bagle.P variant, including a few others can infect computers without an attachment file in its email,” analysts said. “It is available with an ActiveX control that produces and runs a VBScript on the system, which downloads and executes the worm from one of a list of IP addresses.” It’s unclear however whether infection success would depend on lax security controls, such as allowing users to enable ActiveX and auto-run media content from an email.

The samples also vary when it comes to social engineering tactics. A few later variants, including Bagle.DW, try to make victims believe that they are being accused of being a phisher or criminal spammer, and that the attachment holding the worm contains alleged proof of their crime.

With Bagle.A and Bagle.B on the other hand, the lure is much more straightforward.

“‘Hi’ is the mail’s subject and the message is ‘Test =)’, which is followed by a series of random characters with ‘Test, yep.’ at the end,” researchers explained. “The attachment name is a string of random letters with a .exe file extension and the icon mostly looks like the Windows calculator.”

The attackers also use emails with spoofed sender lines and email addresses with similar domain names as the recipients.

Once the malware is executed, the file bbeagle.exe, from which Bagle gets its name, is added to the Windows system folder, followed followed by the launch of the Windows Calculator. For persistence it adds the malware to the system folder and alters the current user’s registry key for automatically running programs on start-up.

Once the listening thread on the TCP port 6777 is developed by the worm, it can receive specially formatted messages from the attackers; these could direct it to download an arbitrary file to the Windows system folder. Comodo also said that Bagle also will notify its command-and-control websites of the presence of the worm every 10 minutes.

For propagation, it will scan for email addresses in files with extensions .wab, .txt, .htm, and .html, and will begin sending itself out to them.

That said, “after implementation, Bagle will check the system date and may not even do anything if the date goes beyond a specific point (2004.01.28 for Beagle.A),” researchers said. “If the date on the infected computer appears to be wrong and displays a date before the time the worm is supposed to stop running, it will then run and continue to spread from that computer.”

In all, Bagle’s approach in many cases uses techniques and malware that would be familiar from 14 years ago when Bagle first came on the scene. But the fact that the variants are elderly doesn’t make them any less effective: Comodo said that Bagle.B in particular can be quite virulent.


Suggested articles