This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
-- Update March 13, 2004 --
Due to decreased prevalence, the risk assessment of this threat has been lowered to Low-Profiled.
-- Update March 2nd 4:38pm PST --
The risk assessment of this threat has been raised to medium due to increased prevalence.
If you think that you may be infected with Bagle.j, and are unsure how to check your system, you may
download the Stinger tool
to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
This is a mass-mailing worm with the following characteristics:
The message-bodies are constructed with several parts, to effectively customize the email, to make it appear to be a legitimate warning notification. The details are as follows:
(address is spoofed)
(Where the user's domain is chosen from the To: address. For example the user's domain for firstname.lastname@example.org would be "mail.com")
Main message body -
Attachment explanation -
Password information - (if received as a ZIP file)
The (user's domain) team http://www.(user's domain)
(Where the first part of the closing is selected from the list. The second part is always present.)
Attachment: (May be .EXE .PIF or .ZIP)
The virus copies itself into the Windows System directory as IRUN4.EXE. For example:
It also creates a file IRUN4.EXEOPEN which may either be another copy of itself or a ZIP file (~13KB) to be sent in email.
The following Registry key is added to hook system startup:
Like its predecessors, this worm checks the system date. If it is the 25th of April 2005 or later, the worm simply exits and does not propagate.
The worm uses the following icon, to make it appear that the file is a WordPad document:
This worm attempts to terminate the process of security programs with the the following filenames:
The worm opens port 2745 (TCP) on the victim machine.
This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:
The virus spoofs the sender address by using a harvested address in the From: field.
The virus avoids sending itself to addresses containing the following:
Peer To Peer Propagation
Files are created in folders that contain the phrase shar :
Remote Access Component
The virus listens on TCP port 2745 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script does not exist on any of these sites.
Use specified engine and DAT files for detection and removal.
If you see detection of this threat on your system, a reboot and additional scan may be required to clean this completely.
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
Stinger has been updated to assist in detecting and repairing this threat.
Filters have been developed that will look for traffic for the .G, .H and .J variants of W32/Bagle [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].
ThreatScan signatures that can detect the W32/Bagle.j@MM virus are available from:
ThreatScan Signature version: 2004-03-02
ThreatScan users can detect the virus by running a ThreatScan task using the following settings:
For additional information:
Run the "ThreatScan Template Report"
Look for module number #4069
ThreatScan users can detect the remote access component by running a Resource Discovery Task using the following settings:
-Select TCP Port scan
-Enter port: 2745
McAfee Desktop Firewall
To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 2745.