New Bagle Threat Spreading Quickly, Quietly

A new version of the Bagle worm is making its way across the Internet, showing up in mailboxes with a "foto."

Like Bagle.AQ infected messages of two weeks ago, a flood of infected e-mails started hitting users mailboxes Tuesday bearing the subject line "foto", and an unencrypted zip file "". However, it doesnt seem to be able to get much farther than the initial spam.

The zip file contains an HTML file that when executed drops downloader component on the victims machine, which attempts to connect to one of many web sites to download the worm portion The new virus, first identified by Trend Micro Inc. as Worm_Bagle.AI appeared to have been seeded, or spammed to many users, but due to problems with the web sites that carry the propagation code, it hasnt spread further.

How to prevent it: Do not open attachments, especially Get the latest updates from your antivirus company.

Bagle.AI was first discovered on August 31st, and the attack slipped in under the radar of our own corporate antivirus. The virus arrives by an e-mail with the subject "foto", and a spoofed "from" address. The attachment is an un-encrypted Zip file named ""

The zip file contains two files, foto.html and foto1.exe. When a user clicks on the HTML file, it executes the foto1.exe file. The HTML file contains JavaScript that is detected as JS/IllWill. The foto1.exe initially drops a file named DORIOT.EXE (note, it has the creation date of 9/1/04, which was a day ahead of the start of the outbreak) into the Window system folder, along with a companion file GDQFW.EXE. It creates the following value:

Wersds.exe = "%system%\doriot.exe

In the following registry keys:


(%system% is the Windows System folder and is usually C:\Windows\System on Windows 9x/ME, C:\WINNT\System32 on Windows NT/2000, or C:\Windows\System32 on Windows XP.)

According to Symantec, the gdqfw.exe file is injected into Explorer.exe and runs as a thread that stops the service "Shared Access" and then sets the startup type to disabled. It then attempts to stop security software processes.

The gdqfw.exe is also the downloader, which attempts to contact one of over 130 web sites to download the actual worm propagation code. For the full list, see Symantecs analysis.

The files are saved as "_re_file.exe" in the Windows installation folder and then executed. However, at this time, all the sites appear to be inoperable, leaving the victims machine with only a few installed files and registry entries. If the web sites do become active, Bagle.AI may spread quickly.

In PCMag.coms tests, we noticed that the firewall recognized Explorer.exe trying to get to the web. Since this is a normal occurrence, detection by a firewall (as Bagle.AQ was detectable), may not be possible.


To read the full story and how to remove the worm,

click here.