Network Associates today announced that McAfee AVERT (Anti-Virus and Vulnerability Emergency Response Team), the world-class anti-virus research division of Network Associates, placed a medium risk assessment on the recently discovered W32/Bagle.c@MM, also known as Bagle.c. Bagle.c is a worm that uses its own SMTP engine to construct outgoing messages and contains a remote access component. It was first seen by McAfee AVERT researchers earlier today, and to date McAfee AVERT has seen over 80 samples from customers around the world.
Bagel C Worm Symptoms
The Bagle.c worm is an Internet mass mailer that harvests addresses from local files and then uses the harvested addresses in both the From field and To field and sends itself using its own SMTP engine. The next recipient is thus unable to see the true sender. The worm then proceeds into the remote access component of the virus, which listens on TCP port 2745 for remote connections. Users should delete any email containing the following:
-- From: (address is spoofed) -- Body: (Message body is empty) -- Subject: * Price * New Price-list * Hardware devices price-list * Weekly activity report * Daily activity report * Maria * Jenny * Jessica * Registration confirmation * USA government abolishes the capital punishment * Freedom for everyone * Flayers among us * From Hair-cutter * Melissa * Camila * Price-list * Pricelist * Price list * Hello my friend * Hi! * Well... * Greet the day * The account * Looking for the report * You really love me? he he * You are dismissed * Accounts department * From me * Monthly incomings summary * The summary * Proclivity to servitude * Ahtung! * The employee
After being executed, Bagle.c emails itself to addresses found on the infected host using a the filename .WAB, .TXT, .HTM, .HTML, .DBX, .MDX, .EML, .NCH, .MMF, .ODS, .CFG, .ASP, .PHP, .PL, .ADB and .SHT. The filenames listed are the filetypes that Bagle.c harvests e-mail addresses from. The file name is sent as (Random Name).zip. However, the virus avoids sending itself to addresses containing @hotmail.com, @msn.com, @microsoft, @avp, noreply, local, root@ and postmaster@. The worm goes completely inactive on the first reboot after March 14, 2004.