On Jan. 18, 2004, computer users were served a “bagle” that would ruin anyone’s appetite. Also known as the “Beagle” worm, Bagle does not refer to the popular breakfast food that it shares a pronunciation with, despite their different spellings. No, this “Bagle” worm was (and is) a simple, yet highly destructive virus.
A user received an email with the subject line “Hi” purporting to be from a familiar address. The body of the email read “test :)” — and the message carried the attachment bbeagle.exe that, once executed, launched the Windows calculator to disguise its nefarious deeds. Among them it:
- Installed a Trojan for backdoor access to the computer through TCP port 6777.
- Attempted to download a program from 30 websites, mostly German and Russian.
- Added itself to the Windows system folder.
- Changed the registry key for programs that launch on startup.
- Scanned files ending in .wab, .txt, .htm, and .html for email addresses, then sent itself out to those addresses while spoofing a randomly selected name from the user’s address book.
Curiously, Bagle — which experts think originated in Australia — skipped over Hotmail and MSN addresses, perhaps showing the efficacy of Microsoft’s bounty for virus writers. The virus was programmed not to run if the date was after Jan. 28, 2004, eliciting the theory that the original Bagle was a testing ground for something bigger.
The big picture
Indeed, it was. Future variants of Bagle eschewed the attachment for ActiveX controls and auto-run media, taking advantage of bad security protocols. Bagle.DW even concocted a “schmear” (sorry) campaign, telling recipients they were being accused of hacking or phishing and to open the attachment to see the evidence against them.
Despite, or perhaps because of, its simplicity, this Bagle is still on the loose in various incarnations.
Photo: TMON / Shutterstock
