Beagle
Beagle
Type Mass mailer worm
Creator
Date Discovered 2004.01.18
Place of Origin
Source Language Delphi
Platform MS Windows
File Type(s) .exe, .pif, .zip
Infection Length 15,872 bytes
Reported Costs $896 million

Beagle, also known as Bagle is a large family of email worms with many variations. Beagle is notable for the fact that many variants came in password-protected .zip files, with the password usually contained in the body of the message.

Behavior

Beagle arrives in an email with a spoofed sender line. The alleged sender has an email address with the same domain name as the recipient. The subject of the mail is "Hi" and the message is "Test =)" followed by a string of random characters with "Test, yep." at the end. The attachment name is a string of random letters with a .exe file extension and the icon often looks like the Windows calculator.
After execution, some variants of Beagle will check the system date and may not do anything if the date has gone beyond a certain point (2004.01.28 for Beagle.A). If the date on the infected computer is wrong and displays a date before the time the worm is supposed to stop running, it will run and continue to spread from that computer.

It adds the file bbeagle.exe to the Windows system folder. The file calc.exe (the Windows Calculator) is launched. The worm then adds the value "d3dupdate.exe = (system folder directory)\bbeagle.exe" to the current user's registry key that causes programs to run automatically once the system is started. It may also add the values "uid = [Random Value]" and "frun = 1" to registry key HKEY_CURRENT_USER\Software\Windows98.

The worm creates a listening thread on the TCP port 6777. If a cracker sends a specially formatted message to the worm through this port, the worm will allow an arbitrary file to be downloaded to the Windows system folder. Beagle also creates a thread that notifies a number of website of the presence of the worm every ten minutes.

It then scans for email addresses in files with extensions .wab, .txt, .htm, and .html. It will not send itself to any of the following domains:

  • .r1
  • @hotmail.com
  • @msn.com
  • @microsoft.com
  • @avp

Creator

The creator of the original Beagle is unknown, but one researcher points to Caesar2k of the group Nuclear Winter Crew, as his creation Titog was similar in that it shut down the same processes as the M variant of Beagle. Also, Caesar2k and other members of the group code in Delphi, the language Beagle was coded in.

Name

Beagle gets its name from the file bbeagle.exe, which is the file name of the original and some subsequent variants of the Beagle worm drop into the system folder. It also goes by the name Bagle, as antivirus companies try to avoid using the name that the virus coder intended.

  • Avast!: Win32:Beagle
  • Avira: Worm/Bagle.A
  • CA: Win32.Bagle.A
  • ClamAV: Worm.Bagle.Gen-dll
  • Doctor Web: Win32.HLLM.Beagle.15872
  • Eset: Win32/Bagle.A
  • F-Prot: W32/Bagle.A@mm
  • F-Secure: Email-Worm.Win32.Bagle.fj [AVP]
  • Grisoft: I-Worm/Bagle.A
  • Kaspersky Lab: Email-Worm.Win32.Bagle.a
  • McAfee: W32/Bagle.a@MM
  • Norman: W32/Bagle.A@mm
  • Panda: W32/Bagle.A.worm
  • RAV: Win32/Bagle.A@mm
  • Bitefender: Win32.Bagle.A@mm
  • Sophos: W32/Bagle-A
  • Symantec: W32.Beagle.A@mm
  • Trend Micro: WORM_BAGLE.A
  • Vexira: Trojan.DL.Bagle

Variants

Beagcons.png

There are enough variants of Beagle to go through the alphabet several times, and they go up to at least Beagle.GM. Typically they are around 20,000 bytes in length, but some go below 10,000 while others are well above 100,000 bytes.

P

The Beagle.P variant (may have a different letter with different antivirus scanners) as well as a few others can infect computers without an attachment file in its email. It contains an ActiveX control that creates and runs a VBScript on the system, which downloads and executes the worm from one of a list of IP addresses.

DW

Some variants, including Beagle.DW, attempt to make the victim believe that he/she is being accused of being a criminal spammer or phisher, and that the attachment containing the worm actually contains alleged proof of their crime. The message containing the worm can be one of three possibilities:

  • Hey pal. Do you know, that your webpage paypalll.comprovides a phishing attack? Open attached file for a proof hmmmm it's quite nice, but I think that cops would be interested in it. So my friend. take the page away and put a Appologize on it. Or the Police will hear from me. Cya my friend
  • Hi! Just to inform you that your email is used by a spamer who intends to steal bank account information thru a fake site. If you are not involded, I can bring you additionnal information. Check attached file for a proof. If you are, you're a little son of a bitch.
  • Dude, I found your email from whois info of a web page that was used in spam and illigal activity, please do something or you will be sued and busted. Was very dumb to leave your email, asshole! P.S Attached file is self-exatracting archive with information about your criminal activity.

Sources

Gregg Keizer. InformationWeek, "Bagle Bullies Users Into Infections". 2006.03.02

Takayoshi Nakayama. Symantec.com, "W32.Beagle.DW@mm"

Larry Seltzer Eweek.com, "New Bagle Worm Variant Can Run Without Launching Attachment". 2004.03.18

Jay Lyman, TechNewsWorld, "Bagle.U Worm Spreads Despite Simplicity". 2004.03.26

Gary Warner. Birmingham Chapter of InfraGard Beagle Evolution: Observations on a Rapidly Changing Virus 2004.04.13 (PowerPoint)

HP ProCurve Networking, Live Virus Testing with Virus Throttle Technology. 2008.07 (PDF)

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License