As a worm, Bagle is fairly simple: it spreads via email messages, which always look the same. The emails always have a subject field "Hi" and contain an EXE attachment with a calculator icon.
"A big percentage of companies nowadays filter executable email attachments", comments Mikko Hypponen, Director of Anti-Virus Research at F-Secure Corporation. "However, apparently that percentage is not big enough".
The emails sent by the worm look like this:
From: (random email address)
To: (address of the recipient)
Attachment (with a Calculator icon):
Note to editors: A picture of an infected email is available from F-Secure website.
When a user clicks on the EXE attachment, the worm will spread further. After this the worm run the Windows Calculator application, apparently in order to fool the user.
The worm will collect email addresses aggressively from all local and network drives. It will search through every text and HTML file as well as address book files and send a copy of itself to each address - except to addresses of Microsoft, MSN or Hotmail. Apparently the aggressive address collection is the key reason why the virus has been successful although the email sent by it doesn't look too smart.
Bagel worm contains a backdoor that listens on a TCP port 6777. Through this backdoor the worm author can connect to infected machines and download and execute arbitrary programs on them. Virus author can find the infected machines as they report themselves by requesting a specific file from hacked websites.
"It seems perfectly possible that Bagle is yet another worm written by spammers", says Mikko Hypponen. "This way, they could first infect a large amount of computers. When they have enough, they could automatically install invisible email proxy servers on each machine and start spamming through them."
This worm has a built-in expiration date. After January 27th, 2004, the worm will stop spreading. This is based on the local system date of the infected machine, so the worm will continue to propagate from machines which have their date set wrong. This feature is similar to the one seen in the Sobig virus family. Sobig authors used the expiration date to remove outdated versions from the market in order to release new and improved versions of the worm.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.