Bagle (computer worm): Difference between revisions
WP:AWB WP:CHECKWIKI 16/90/91 cleanup, et. al., typo(s) fixed: ’s → 's (3) |
m a typo + grammar Tags: Visual edit Mobile edit Mobile web edit |
||
Line 8: | Line 8: | ||
== Overview == |
== Overview == |
||
Bagle used its own [[Smtp|SMTP engine]] to [[Bulk e-mail software|mass-mail]] itself as an attachment to recipients gathered from the infected computer by combing through all of the computer's .htm, .html, .txt, and .wab files for any email addresses.<ref name=":0">{{Cite news|last=Munro|first=Jay|date=2021-01-26|title=How to Stop the Spread of Bagel Virus|work=[[ABC News]]|url=https://abcnews.go.com/Technology/ZDM/story?id=97398&page=1|url-status=live|access-date=2021-04-13|archive-url=https://web.archive.org/web/20210126125341/https://abcnews.go.com/Technology/ZDM/story?id=97398&page=1|archive-date=2021-01-26}}</ref> It does not mail itself to addresses containing certain strings such as "@hotmail.com", "@msn.com", "@microsoft", "@avp", or “.r1”.<ref>{{Cite web|title=Email-Worm:W32/Bagle|url=https://www.f-secure.com/v-descs/bagle.shtml|url-status=live|archive-url=https://web.archive.org/web/20210126030855/https://www.f-secure.com/v-descs/bagle.shtml|archive-date=2021-01-26|access-date=2021-04-13|website=[[F-Secure]]}}</ref> Bagle pretends to be a different file type (a 15,872 byte Windows Calculator for Bagle.A and an 11,264 byte audio file for Bagle.B), with a randomized name, and it will then open that file type as a cover for opening its own [[.exe|.exe file]].<ref>{{Cite web|title=Virus Profile: W32/Bagle@MM|url=http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100965|url-status=dead|archive-url=https://web.archive.org/web/20080127150353/http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100965|archive-date=2008-01-27|access-date=2021-04-13|website=[[McAfee]]}}</ref><ref name=":1">{{Cite journal|date=March 2004|title=February|url=https://linkinghub.elsevier.com/retrieve/pii/S1353485804000492|journal=Network Security|language=en|volume=2004|issue=3|pages=5–7|doi=10.1016/S1353-4858(04)00049-2}}</ref><ref name=":0" /> It copies itself to the Windows system directory (Bagle.A as {{mono|bbeagle.exe}}, Bagle.B as {{mono|au.exe}}), adds [[HKCU|HKCU run keys]] to the registry, and opens a [[Backdoor (computing)|backdoor]] on a TCP port (6777 for Bagle.A and 8866 for Bagle.B).<ref name=":1" /><ref name=":0" /> Using an [[HTTP GET]] request, Bagle.B also informs the virus's programmer that the machine has been successfully infected.<ref name=":1" /><ref name=":2">{{Cite news|last=Fisher|first=Dennis|date=2004-02-17|title=New Bagle Virus Gaining Momentum|work=[[eWeek]]|url=https://www.eweek.com/security/new-bagle-virus-gaining-momentum/|access-date=2021-04-13}}{{Dead link|date=June 2022 |bot=InternetArchiveBot |fix-attempted=yes }}</ref> |
Bagle used its own [[Smtp|SMTP engine]] to [[Bulk e-mail software|mass-mail]] itself as an attachment to recipients gathered from the infected computer by combing through all of the computer's .htm, .html, .txt, and .wab files for any email addresses.<ref name=":0">{{Cite news|last=Munro|first=Jay|date=2021-01-26|title=How to Stop the Spread of Bagel Virus|work=[[ABC News]]|url=https://abcnews.go.com/Technology/ZDM/story?id=97398&page=1|url-status=live|access-date=2021-04-13|archive-url=https://web.archive.org/web/20210126125341/https://abcnews.go.com/Technology/ZDM/story?id=97398&page=1|archive-date=2021-01-26}}</ref> It does not mail itself to addresses containing certain strings such as "@hotmail.com", "@msn.com", "@microsoft", "@avp", or “.r1”.<ref>{{Cite web|title=Email-Worm:W32/Bagle|url=https://www.f-secure.com/v-descs/bagle.shtml|url-status=live|archive-url=https://web.archive.org/web/20210126030855/https://www.f-secure.com/v-descs/bagle.shtml|archive-date=2021-01-26|access-date=2021-04-13|website=[[F-Secure]]}}</ref> Bagle pretends to be a different file type (a 15,872 byte Windows Calculator for Bagle.A and an 11,264 byte audio file for Bagle.B), with a randomized name, and it will then open that file type as a cover for opening its own [[.exe|.exe file]].<ref>{{Cite web|title=Virus Profile: W32/Bagle@MM|url=http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100965|url-status=dead|archive-url=https://web.archive.org/web/20080127150353/http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100965|archive-date=2008-01-27|access-date=2021-04-13|website=[[McAfee]]}}</ref><ref name=":1">{{Cite journal|date=March 2004|title=February|url=https://linkinghub.elsevier.com/retrieve/pii/S1353485804000492|journal=Network Security|language=en|volume=2004|issue=3|pages=5–7|doi=10.1016/S1353-4858(04)00049-2}}</ref><ref name=":0" /> It copies itself to the Windows system directory (Bagle.A as {{mono|bbeagle.exe}}, Bagle.B as {{mono|au.exe}}), adds [[HKCU|HKCU run keys]] to the registry, and opens a [[Backdoor (computing)|backdoor]] on a TCP port (6777 for Bagle.A and 8866 for Bagle.B).<ref name=":1" /><ref name=":0" /> Using an [[HTTP GET]] request, Bagle.B also informs the virus's programmer that the machine has been successfully infected.<ref name=":1" /><ref name=":2">{{Cite news|last=Fisher|first=Dennis|date=2004-02-17|title=New Bagle Virus Gaining Momentum|work=[[eWeek]]|url=https://www.eweek.com/security/new-bagle-virus-gaining-momentum/|access-date=2021-04-13}}{{Dead link|date=June 2022 |bot=InternetArchiveBot |fix-attempted=yes }}</ref> Bagle variants, including Bagle.A and Bagle.B, generally have a date at which they stop spreading included in their programming.<ref name="securelist" /> Computers infected with older versions of Bagle are updated when newer ones are released.<ref>{{Cite news|last=Hines|first=Matt|date=2006-04-17|title=Spam Attack Keeps Bagle Boiling|work=[[eWeek]]|url=https://www.eweek.com/security/spam-attack-keeps-bagle-boiling|access-date=2021-04-13}}</ref> |
||
== History == |
== History == |
Revision as of 13:44, 8 September 2022
This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)
|
Bagle (also known as Beagle) was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.
Overview
Bagle used its own SMTP engine to mass-mail itself as an attachment to recipients gathered from the infected computer by combing through all of the computer's .htm, .html, .txt, and .wab files for any email addresses.[1] It does not mail itself to addresses containing certain strings such as "@hotmail.com", "@msn.com", "@microsoft", "@avp", or “.r1”.[2] Bagle pretends to be a different file type (a 15,872 byte Windows Calculator for Bagle.A and an 11,264 byte audio file for Bagle.B), with a randomized name, and it will then open that file type as a cover for opening its own .exe file.[3][4][1] It copies itself to the Windows system directory (Bagle.A as bbeagle.exe, Bagle.B as au.exe), adds HKCU run keys to the registry, and opens a backdoor on a TCP port (6777 for Bagle.A and 8866 for Bagle.B).[4][1] Using an HTTP GET request, Bagle.B also informs the virus's programmer that the machine has been successfully infected.[4][5] Bagle variants, including Bagle.A and Bagle.B, generally have a date at which they stop spreading included in their programming.[6] Computers infected with older versions of Bagle are updated when newer ones are released.[7]
History
The initial strain, Bagle.A, was first sighted on January 18, 2004, seemingly originating in Australia.[1] The original file name for the Bagle virus was Beagle, but computer scientists decided to call it Bagle instead as a way to spite Bagle's programmer.[8] Although it started strong with more than 120,000 infected computers, it quickly dwindled in efficacy.[9] Sometimes accompanied by Trojan.Mitglieder.C, it stopped spreading after January 28, 2004, as designed.[9][1]
The second strain, Bagle.B, was first sighted on February 17, 2004.[5] It was much more widespread and appeared in large numbers; Network Associates rated it a "medium" threat. It was designed to stop spreading after February 25, 2004.
At one point in 2004, the Bagle and Netsky viruses exchanged insults and harsh words with each other in their codes, beginning with Bagle.I on March 3, 2004.[6] Notably, Bagle.J contained the message “Hey, NetSky, fuck off you bitch, don't ruine our bussiness, wanna start a war?”, and Netsky-R included, "Yes, true, you have understand it. Bagle is a shitty guy, he opens a backdoor and he makes a lot of money. Netsky not, Netsky is Skynet, a good software, Good guys behind it. Believe me, or not. We will release thousands of our Skynet versions, as long as bagle is there ...".[10][11] Additionally, Bagle and Netsky both tried to remove each other from an infected system.[12]
Subsequent variants have later been discovered. By July 26, 2004, there were 35 variants of Bagle, and by April 22, 2005, that number had increased to over 100.[13][6] Although they have not all been successful, a number remain notable threats. Additionally, on July 3 and 4, 2004, Bagle.AD and Bagle.AE were released, with the source code for the virus, written in Assembly, visibly appearing in both of them.[14]
Some of these variants contain the following text:
"Greetz to antivirus companies In a difficult world, In a nameless time, I want to survive, So, you will be mine!! -- Bagle Author, 29.04.04, Germany."
This has led some people think the worm originated in Germany.
Since 2004, the threat risk from these variants has been changed to "low" due to decreased prevalence. However, Windows users are warned to watch out for it.
Botnet
The Bagle botnet (Initial discovery early 2004[6][15]), also known by its aliases Beagle, Mitglieder and Lodeight,[16] is a botnet mostly involved in proxy-to-relay e-mail spam.
The Bagle botnet consists of an estimated 150,000-230,000 [17] computers infected with the Bagle Computer worm. It was estimated that the botnet was responsible for about 10.39% of the worldwide spam volume on December 29, 2009, with a surge up to 14% on New Year's Day,[18] though the actual percentage seems to rise and drop rapidly.[19] As of April 2010 it is estimated that the botnet sends roughly 5.7 billion spam messages a day, or about 4.3% of the global spam volume.[17]
See also
References
- ^ a b c d e Munro, Jay (2021-01-26). "How to Stop the Spread of Bagel Virus". ABC News. Archived from the original on 2021-01-26. Retrieved 2021-04-13.
- ^ "Email-Worm:W32/Bagle". F-Secure. Archived from the original on 2021-01-26. Retrieved 2021-04-13.
- ^ "Virus Profile: W32/Bagle@MM". McAfee. Archived from the original on 2008-01-27. Retrieved 2021-04-13.
- ^ a b c "February". Network Security. 2004 (3): 5–7. March 2004. doi:10.1016/S1353-4858(04)00049-2.
- ^ a b Fisher, Dennis (2004-02-17). "New Bagle Virus Gaining Momentum". eWeek. Retrieved 2021-04-13.[permanent dead link]
- ^ a b c d Mashevsky, Yury (2005-04-22). "The Bagle botnet". Securelist. Archived from the original on 2021-01-19. Retrieved 2010-07-30.
- ^ Hines, Matt (2006-04-17). "Spam Attack Keeps Bagle Boiling". eWeek. Retrieved 2021-04-13.
- ^ Husted, Bill (2004-01-21). "Latest Computer Worm Wreaks Less Havoc in U.S. Than Overseas". Atlanta Journal-Constitution.
- ^ a b Seltzer, Larry (2004-01-21). "Bagle Infection Rate Rolling Down". eWeek. Retrieved 2021-04-13.
- ^ "Virus writers start war of words". Internet Magazine. 118: 10. 2004 – via Gale.
- ^ "Netsky--R latest in barrage of warring worms". Software World. 35 (3). 2004 – via Gale.
- ^ "Bagle-Netsky Battle Continues with New Players". Computergram International. MarketLine. 2004-03-17 – via Gale.
- ^ Fisher, Dennis (2004-07-26). "Success of Bagle Virus Puzzles Researchers". eWeek. Retrieved 2021-04-13.
- ^ "Would you like source with your Bagle?". Infosecurity Today. 1 (4): 46. 2004-07-01. doi:10.1016/S1742-6847(04)00095-3. ISSN 1742-6847.
- ^ "A Little Spam With Your Bagle?". M86 Security. 2009-06-04. Archived from the original on 2021-03-12. Retrieved 2010-07-30.
{{cite web}}
:|archive-date=
/|archive-url=
timestamp mismatch; 2012-03-12 suggested (help) - ^ "Bagle". M86 Security. 2009-06-17. Archived from the original on 2011-01-01. Retrieved 2010-07-30.
- ^ a b http://www.messagelabs.com/mlireport/MLI_2010_04_Apr_FINAL_EN.pdf[permanent dead link]
- ^ Dan Raywood. "New botnet threats emerge in the New Year from Lethic and Bagle". SC Magazine UK. Retrieved 2010-07-30.
- ^ Raywood, Dan (2010-01-11). "New Spamming Botnet On The Rise". SC Magazine. DarkReading. Archived from the original on 2016-08-08. Retrieved 2010-07-30.