HOME

TheInfoList



Click Here for Items Related To - Bagle (computer Worm)
OR:
Bagle (computer Worm) on:   [Wikipedia]   [Google]   [Amazon]

Bagle (also known as Beagle) was a mass-mailing
computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...
affecting
Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.


Overview

Bagle used its own SMTP engine to mass-mail itself as an attachment to recipients gathered from the infected computer by combing through all of the computer's .htm, .html, .txt, and .wab files for any email addresses. It does not mail itself to addresses containing certain strings such as "@hotmail.com", "@msn.com", "@microsoft", "@avp", or “.r1”. Bagle pretends to be a different file type (a 15,872 byte Windows Calculator for Bagle.A and an 11,264 byte audio file for Bagle.B), with a randomized name, and it will then open that file type as a cover for opening its own .exe file. It copies itself to the Windows system directory (Bagle.A as , Bagle.B as ), adds HKCU run keys to the registry, and opens a
backdoor A back door is a door in the rear of a building. Back door may also refer to: Arts and media * Back Door (jazz trio), a British group * Porta dos Fundos (literally “Back Door” in Portuguese) Brazilian comedy YouTube channel. * Works so title ...
on a TCP port (6777 for Bagle.A and 8866 for Bagle.B). Using an
HTTP GET The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, w ...
request, Bagle.B also informs the virus's programmer that the machine has been successfully infected. Bagle variants, including Bagle.A and Bagle.B, generally have a date at which they stop spreading included in their programming. Computers infected with older versions of Bagle are updated when newer ones are released.


History

The initial strain, Bagle.A, was first sighted on January 18, 2004, seemingly originating in Australia. The original file name for the Bagle virus was Beagle, but computer scientists decided to call it Bagle instead as a way to spite Bagle's programmer. Although it started strong with more than 120,000 infected computers, it quickly dwindled in efficacy. Sometimes accompanied by Trojan.Mitglieder.C, it stopped spreading after January 28, 2004, as designed. The second strain, Bagle.B, was first sighted on February 17, 2004. It was much more widespread and appeared in large numbers;
Network Associates McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company head ...
rated it a "medium" threat. It was designed to stop spreading after February 25, 2004. At one point in 2004, the Bagle and Netsky viruses exchanged insults and harsh words with each other in their codes, beginning with Bagle.I on March 3, 2004. Notably, Bagle.J contained the message “Hey, NetSky, fuck off you bitch, don't ruine our bussiness, wanna start a war?”, and Netsky-R included, "Yes, true, you have understand it. Bagle is a shitty guy, he opens a backdoor and he makes a lot of money. Netsky not, Netsky is Skynet, a good software, Good guys behind it. Believe me, or not. We will release thousands of our Skynet versions, as long as bagle is there ...". Additionally, Bagle and Netsky both tried to remove each other from an infected system. Subsequent variants have later been discovered. By July 26, 2004, there were 35 variants of Bagle, and by April 22, 2005, that number had increased to over 100. Although they have not all been successful, a number remain notable threats. Additionally, on July 3 and 4, 2004, Bagle.AD and Bagle.AE were released, with the source code for the virus, written in
Assembly Assembly may refer to: Organisations and meetings * Deliberative assembly, a gathering of members who use parliamentary procedure for making decisions * General assembly, an official meeting of the members of an organization or of their representa ...
, visibly appearing in both of them. Some of these variants contain the following text: "Greetz to antivirus companies In a difficult world, In a nameless time, I want to survive, So, you will be mine!! -- Bagle Author, 29.04.04, Germany." This has led some people think the worm originated in Germany. Since 2004, the threat risk from these variants has been changed to "low" due to decreased prevalence. However, Windows users are warned to watch out for it.


Botnet

The Bagle botnet (Initial discovery early 2004), also known by its aliases Beagle, Mitglieder and Lodeight, is a
botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
mostly involved in proxy-to-relay
e-mail spam Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoida ...
. The Bagle botnet consists of an estimated 150,000-230,000 http://www.messagelabs.com/mlireport/MLI_2010_04_Apr_FINAL_EN.pdf computers infected with the Bagle
Computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...
. It was estimated that the botnet was responsible for about 10.39% of the worldwide spam volume on December 29, 2009, with a surge up to 14% on New Year's Day, though the actual percentage seems to rise and drop rapidly. As of April 2010 it is estimated that the botnet sends roughly 5.7 billion spam messages a day, or about 4.3% of the global spam volume.


See also


References

{{Hacking in the 2000s Multi-agent systems Distributed computing projects Spamming Botnets Email worms Hacking in the 2000s 2004 in computing