Yay, new worm! Bagle is on the loose now. It will arrive in an email with the subject Hi and Test =) {random characters} Test, yep. in the body. It will have an attachment with a random filename and the standard Windows Calculator icon. When you run the attachment before January 28, 2004, the worm will copy itself to your Windows system directory as bbeagle.exe, create registry entries to load that at startup, and then open the Windows Calculator program to cover it. January 28, 2004, or later, the program will simply do nothing and exit. This expiration date may be an indication that another version will be made also.
The worm collects email addresses from .wab, .txt, .htm, and .html files (address book, text, HTML). The first email uses the same address both to and from. The second email uses the same address as the from, and uses the next collected email address as the target. The third email goes to the third address found, from the second address, and so on. It won’t send to addresses that contain “@hotmail.com”, “@msn.com”, “@microsoft”, or “@avp”. The worm opens up the system for remote access and tries to report to a script on several websites (none of which are currently active) that the system is infected.
As with Sobig.f, I’ve made a script to remove Bagle from your system. Save unbagle.inf on your Desktop or somewhere else handy. Right click and choose Install. While most of you probably haven’t wastedspent as much time with .inf files as I have, it’s pretty easy to open the file in Notepad and see what’s going on. It’s set up so that the default Install action is to delete files and registry entries. Normally you would use those for the uninstall section, but the main reason behind this script is to remove stuff, so removing stuff is the default action. In the file you will see that it has the location of the file specified as 11. This equates to your Windows System directory (you can find a list of these numbers in a KB article linked from the Software section of PC Tech). Basically the default “install” just goes through and deletes the files and registry entries from the locations listed in the file. If the worm program is running, you may need to use this script twice. If the worm file is in use, it might not let the script delete the file. It will still remove the startup stuff from the registry though. Run the script once, and the worm won’t be running after you reboot. Then run the script again and the worm file will get deleted, as it won’t be running this time.