The following has been derived from information provided by NAI, F-secure, Panda Software, and Sophos.

Virus Characteristics

W32.Bagle.b@mm is a mass mailing worm that contains its own SMTP engine for propagation. It gathers addresses from the following file types found on the local system:

.WAB
.TXT
.HTM
.HTML

Infected messages arrive with the following characteristics:

From: (address is spoofed)

Subject: ID (random string)... thanks

Body :
Yours ID (random string)
--
Thank

Attachment: Random name.exe (11,264 bytes)

This worm also contains a remote access component. A HTTP notification is sent to the author(s). The virus listens for remote connections on port 8866 and a GET request (containing the port number and "id") is sent to a PHP script on the following remote server(s):

www.47df.de
www.strato.de
intern.games-ring.de
www.strato.de

If it is the 25th February 2004 or later, the worm simply exits and does not propagate.

Payload

This mass mailing worm drops a copy of the worm to the Windows System directory called AU.EXE. To ensure that W32/Bagle.B@mm is executed whenever Windows is started following entry in the Windows Registry is created:

HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
au.exe = %sysdir%\ au.exe

%sysdir% is the Windows system directory.


Preventative Measures

Block all incoming email messages that contain .exe extensions.
Block access to the following websites:

www.47df.de
www.strato.de
intern.games-ring.de
www.strato.de

Block TCP port 8866 at the corporate firewall.


Fixes Available

Network Associates:
Minimum DAT: 4324
Release Date: 2/18/04
Minimum Engine: 4.2.40