Windows Bagle Worm Spreading Fast

Bagle.A worm is another mass-mailer that is scheduled to expire on Jan. 28. Experts expect a wave of infection after the holiday.

A new Windows worm discovered Sunday is spreading rapidly, according to security experts and anti-virus firms.

According to Ken Dunham, Director of Malicious Code for iDEFENSE Inc., more than 50,000 interceptions of the worm—known both as Bagle.A and Beagle.A—have already been noted by security firms. "Bagle started gaining significant ground in the wild as the work week resumed in Asia. Bagle appears to have gained the most ground initially in Europe, where it was first detected with the greatest prevalence."


The worm arrives as an executable attachment to an e-mail message. The subject of the message will be "Hi" an the body will be the following:

Test =)[Random characters]--Test, yep.
The attachment, which has a random file name and an extension of .EXE, is 15,872 bytes long.

When the user launches the attachment, it first runs the Windows Calculator program to mask the infection process. At the same time, it copies itself to the Windows SYSTEM directory as bbeagle.exe and creates a registry key to load itself at system startup.

The worm then searches files with .wab, .txt, .htm, and .html extensions on the hard disk for e-mail addresses and mass-mails itself to them, using the same addresses for the messages from: address. It does not send to any addresses with domains of, microsoft.*,, or avp.*.

The virus also listens on TCP port 6777 for remote connections, and attempts to run a script on a number of remote servers instructing them that it is available. According to McAfee, the script is not on any of the servers referenced in the worm.


McAfee, Symantec, Trend Micro and Kaspersky have all added protection against the new worm.