[email protected]

Aliases: I-Worm.Bagle, WORM_BAGLE.A, W32/Bagle-A, W32/[email protected], Win32.Bagle.A
Variants: W32.Beagle!gen, Worm.Beagle. Bagle.b, Bagle.a

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: Europe, North and South America, Asia, Australia, Africa
Removal: Easy
Platform: W32
Discovered: 18 Jan 2004
Damage: Medium

Characteristics: The [email protected] is a mass mailing worm that belongs to the Beagle (also called Bagle) worm family. It can access remote websites and send email messages to every address it can gather from the infected machine. This worm uses its very own SMTP engine for mass mailing.

More details about [email protected]

This mass-mailing worm accesses remote websites and sends email messages to any email addresses it finds through its own SMTP engine. Once installed in a machine and run, the [email protected] worm will immediately check if the date on the system is later than the 28th of January 2004. If the date is later than that, then the worm will simply stop its activities. This worm will not query NTP servers to verify the time and will instead rely on local time details. This generally means that when a system has the wrong system date (e.g. system date is set to before January 28, 2004) then the worm will continue its malicious activities.

The [email protected] worm will also insert the C:\ windows\ system\ bbeagle.exe file and then run the calc.exe which is the executable for the Windows Calculator. It will also add certain values to a certain registry subkey. The worm will then scan the computer for files with the .txt, .wab, .html, and .htm extensions for email addresses that may be located within the files. Next, the worm will try to utilize the local DNS server for gathering the MX details for the SMTP address of the recipient. In the event that the server is not available, it will use a hard coded server instead.