Bagle (computer worm)

Last updated
Bagle
AliasesBeagle, Bagle.A, Bagle.B, Bagle.C, Bagle.D, Bagle.J, Bagle.Z
Type Computer worm
SubtypeTrojan
IsolationJanuary 18, 2004
FilesizeVaries upon type

Bagle (also known as Beagle) was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

Contents

Overview

Bagle used its own SMTP engine to mass-mail itself as an attachment to recipients gathered from the infected computer by combing through all of the computer's .htm, .html, .txt, and .wab files for any email addresses. [1] It does not mail itself to addresses containing certain strings such as "@hotmail.com", "@msn.com", "@microsoft", "@avp", or “.r1”. [2] Bagle pretends to be a different file type (a 15,872 byte Windows Calculator for Bagle.A and an 11,264 byte audio file for Bagle.B), with a randomized name, and it will then open that file type as a cover for opening its own .exe file. [3] [4] [1] It copies itself to the Windows system directory (Bagle.A as bbeagle.exe, Bagle.B as au.exe), adds HKCU run keys to the registry, and opens a backdoor on a TCP port (6777 for Bagle.A and 8866 for Bagle.B). [4] [1] Using an HTTP GET request, Bagle.B also informs the virus's programmer that the machine has been successfully infected. [4] [5] Bagle variants, including Bagle.A and Bagle.B, generally have a date at which they stop spreading included in their programming. [6] Computers infected with older versions of Bagle are updated when newer ones are released. [7]

History

The initial strain, Bagle.A, was first sighted on January 18, 2004, seemingly originating in Australia. [1] The original file name for the Bagle virus was Beagle, but computer scientists decided to call it Bagle instead as a way to spite Bagle's programmer. [8] Although it started strong with more than 120,000 infected computers, it quickly dwindled in efficacy. [9] Sometimes accompanied by Trojan.Mitglieder.C, it stopped spreading after January 28, 2004, as designed. [9] [1]

The second strain, Bagle.B, was first sighted on February 17, 2004. [5] It was much more widespread and appeared in large numbers; Network Associates rated it a "medium" threat. It was designed to stop spreading after February 25, 2004.

At one point in 2004, the Bagle and Netsky viruses exchanged insults and harsh words with each other in their codes, beginning with Bagle.I on March 3, 2004. [6] Notably, Bagle.J contained the message “Hey, NetSky, fuck off you bitch, don't ruine our bussiness, wanna start a war?”, and Netsky-R included, "Yes, true, you have understand it. Bagle is a shitty guy, he opens a backdoor and he makes a lot of money. Netsky not, Netsky is Skynet, a good software, Good guys behind it. Believe me, or not. We will release thousands of our Skynet versions, as long as bagle is there ...". [10] [11] Additionally, Bagle and Netsky both tried to remove each other from an infected system. [12]

Subsequent variants have later been discovered. By July 26, 2004, there were 35 variants of Bagle, and by April 22, 2005, that number had increased to over 100. [13] [6] Although they have not all been successful, a number remain notable threats. Additionally, on July 3 and 4, 2004, Bagle.AD and Bagle.AE were released, with the source code for the virus, written in Assembly, visibly appearing in both of them. [14]

Some of these variants contain the following text: 

    "Greetz to antivirus companies      In a difficult world,       In a nameless time,       I want to survive,       So, you will be mine!!       -- Bagle Author, 29.04.04, Germany."

This has led some to believe that the worm originated in Germany.

Since 2004, the threat risk from these variants has been changed to "low" due to decreased prevalence. However, Windows users are warned to watch out for it.

Botnet

The Bagle botnet (Initial discovery early 2004 [6] [15] ), also known by its aliases Beagle, Mitglieder and Lodeight, [16] is a botnet mostly involved in proxy-to-relay e-mail spam.

The Bagle botnet consists of an estimated 150,000-230,000 [17] computers infected with the Bagle Computer worm. It was estimated that the botnet was responsible for about 10.39% of the worldwide spam volume on December 29, 2009, with a surge up to 14% on New Year's Day, [18] though the actual percentage seems to rise and drop rapidly. [19] As of April 2010 it is estimated that the botnet sends roughly 5.7 billion spam messages a day, or about 4.3% of the global spam volume. [17]

See also

Related Research Articles

<span class="mw-page-title-main">Computer worm</span> Self-replicating malware program

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on exploiting the advantages of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Blaster (computer worm)</span> 2003 Windows computer worm

Blaster was a computer worm that spread on computers running operating systems Windows XP and Windows 2000 during August 2003.

mydoom also known as, my.doom, W32.MyDoom@mm, Novarg, Mimail.R, Shimgapi, W32/Mydoom@MM, WORM_MYDOOM, Win32.Mydoom is a computer worm affecting Microsoft Windows. It was first sighted on January 26, 2004. It became the fastest-spreading e-mail worm ever, exceeding previous records set by the Sobig worm and ILOVEYOU, a record which as of 2023 has yet to be surpassed.

Agobot, also frequently known as Gaobot, is a family of computer worms. Axel "Ago" Gembe, a German programmer also known for leaking Half-Life 2 a year before release, was responsible for writing the first version. The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the GNU General Public License. Agobot is a multi-threaded and mostly object oriented program written in C++ as well as a small amount of assembly. Agobot is an example of a Botnet that requires little or no programming knowledge to use.

The Sober worm is a family of computer worms that was discovered on October 24, 2003. Like many worms, Sober sends itself as an e-mail attachment, fake webpages, fake pop-up ads, and fake advertisements.

W32.Navidad is a mass-mailing worm program or virus, discovered in December 2000 that ran on Windows 95, Windows 98, Windows NT, and Windows 2000 systems. It was designed to spread through email clients such as Microsoft Outlook while masquerading as an executable electronic Christmas card. Infected computers can be identified by blue eye icons which appear in the Windows system tray.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

<span class="mw-page-title-main">Storm botnet</span> Computer botnet

The Storm botnet or Storm worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

<span class="mw-page-title-main">Conficker</span> Computer worm

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm.

Daprosy worm was a malicious computer program that spreads via local area network (LAN) connections, spammed e-mails and USB mass storage devices. Infection comes from a single read1st.exe file where several dozen clones are created at once bearing the names of compromised folders. The most obvious symptom of Daprosy infection is the presence of Classified.exe or Do not open - secrets!.exe files from infected folders.

The Rustock botnet was a botnet that operated from around 2006 until March 2011.

The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world's largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world's third largest botnet, responsible for 18% of worldwide spam traffic.

Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

Virut is a cybercrime malware botnet, operating at least since 2006, and one of the major botnets and malware distributors on the Internet. In January 2013, its operations were disrupted by the Polish organization Naukowa i Akademicka Sieć Komputerowa.

Dorkbot is a family of malware worms that spreads through instant messaging, USB drives, websites or social media channels like Facebook. It originated in 2015 and infected systems were variously used to send spam, participate in DDoS attacks, or harvest users' credentials.

References

  1. 1 2 3 4 5 Munro, Jay (2021-01-26). "How to Stop the Spread of Bagel Virus". ABC News . Archived from the original on 2021-01-26. Retrieved 2021-04-13.
  2. "Email-Worm:W32/Bagle". F-Secure . Archived from the original on 2021-01-26. Retrieved 2021-04-13.
  3. "Virus Profile: W32/Bagle@MM". McAfee . Archived from the original on 2008-01-27. Retrieved 2021-04-13.
  4. 1 2 3 "February". Network Security. 2004 (3): 5–7. March 2004. doi:10.1016/S1353-4858(04)00049-2.
  5. 1 2 Fisher, Dennis (2004-02-17). "New Bagle Virus Gaining Momentum". eWeek . Retrieved 2021-04-13.[ permanent dead link ]
  6. 1 2 3 4 Mashevsky, Yury (2005-04-22). "The Bagle botnet". Securelist. Archived from the original on 2021-01-19. Retrieved 2010-07-30.
  7. Hines, Matt (2006-04-17). "Spam Attack Keeps Bagle Boiling". eWeek . Retrieved 2021-04-13.
  8. Husted, Bill (2004-01-21). "Latest Computer Worm Wreaks Less Havoc in U.S. Than Overseas". Atlanta Journal-Constitution .
  9. 1 2 Seltzer, Larry (2004-01-21). "Bagle Infection Rate Rolling Down". eWeek . Retrieved 2021-04-13.
  10. "Virus writers start war of words". Internet Magazine . 118: 10. 2004 via Gale.
  11. "Netsky--R latest in barrage of warring worms". Software World . 35 (3). 2004 via Gale.
  12. "Bagle-Netsky Battle Continues with New Players". Computergram International . MarketLine. 2004-03-17 via Gale.
  13. Fisher, Dennis (2004-07-26). "Success of Bagle Virus Puzzles Researchers". eWeek . Retrieved 2021-04-13.
  14. "Would you like source with your Bagle?". Infosecurity Today. 1 (4): 46. 2004-07-01. doi:10.1016/S1742-6847(04)00095-3. ISSN   1742-6847.
  15. "A Little Spam With Your Bagle?". M86 Security. 2009-06-04. Archived from the original on 2012-03-12. Retrieved 2010-07-30.
  16. "Bagle". M86 Security. 2009-06-17. Archived from the original on 2011-01-01. Retrieved 2010-07-30.
  17. 1 2 http://www.messagelabs.com/mlireport/MLI_2010_04_Apr_FINAL_EN.pdf%5B%5D
  18. Dan Raywood. "New botnet threats emerge in the New Year from Lethic and Bagle". SC Magazine UK. Retrieved 2010-07-30.
  19. Raywood, Dan (2010-01-11). "New Spamming Botnet On The Rise". SC Magazine . DarkReading. Archived from the original on 2016-08-08. Retrieved 2010-07-30.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.