Aliases: W32/Bagle-U
Variants: Worm.Beagle. Bagle.b, Bagle.a, W32.Beagle.A@mm

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: Europe, North and South America, Asia, Australia, Africa
Removal: Easy
Platform: W32
Discovered: 03 Jun 2005
Damage: Medium

Characteristics: The worm W32.Beagle!gen is a variant of the Beagle (also called Bagle) worm family. This worm family’s main characteristic is their mass mailing spreading ability.

More details about W32.Beagle!gen

The Beagle or Bagle family of mass mailing worms was created in pure assembly form. This worm family affects all Windows Operating System versions. The first strain from the Beagle family is the Bagle.a which did not become widely spread. However, the second strain Bagle.B significantly infected a host of computer systems. Once the W32.Beagle!gen worm is run in the infected system, it sends an email to addresses it has gathered from the compromised machine. This worm utilizes its very own SMTP engine for mass mailing itself. It will then scan the computer if a peer to peer client like iMesh or KaZaa is installed and if there is, it will copy itself to the client’s directories with the ‘shar’ string on the name.

The worm can also spread itself by arriving on target machine as an attachment with random files. The attachment will most likely be in the .zip format and from random senders. This worm also opens up a backdoor utility on a TCP port for downloading and running random files. The TCP port may also be used by the worm as an email relay. After a successful installation of the backdoor utility, the malware will alert its author by sending connection information to remote PHP scripts. The W32.Beagle!gen worm may likewise inject its component for mass mailing in the form of a DLL to the explorer.exe’s address space to mask its operations from firewalls. This worm utilizes it very own SMTP engine for mass mailing itself. This security risk allegedly originated from Germany. This worm can be removed from the compromised system by using a competent antivirus program with an updated virus definitions database.