000024198 - Bagle-A is a mass-mailing virus.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024198
Applies ToRSA enVision v3
IssueBagle-A is a mass-mailing virus.

Bagle-A is a mass-mailing virus. It arrives as an e-mail message containing the subject line Hi and an executable attachment with a random filename. When the attachment is activated by a recipient, the worm installs a program on the user's computer. This allows the worm to be sent to other e-mail addresses found in the system's local address book.

The worm also attempts to installs a backdoor or Trojan on infected machines, listening for activity on port 6777.

Once lodged in the registry, Beagle-A runs "calc.exe", before attempting to download and execute "TrojanProxy.Win32.Mitgleider" from a variety of remote websites. 
ResolutionWindows Device

To create NIC Correlation Rules, use security event IDs 560 and 592 and filter for the specific word bbeagle.exe. Use the operator OR between these statements or circuits.

Also, create a new report based on the Windows Accounting table. On the Specify Report Selection Criteria window in the wizard, type the SQL where clause: EventID IN (560,592) AND Description LIKE ?%bbeagle.exe%?.

Cisco Pix Firewall

To create NIC Correlation Rules use event ID 302014 and filter for the specific word bbeagle.exe. Correlate against host logs with either a Microsoft Exchange server or Windows Servers (see the Windows Device section above).

Also, create a new report based on the Firewall Accounting table. On the Specify Report Selection Criteria window in the wizard, type the SQL where clause: LocalPort = 6777.

Note: There is also a system report that displays all inbound mail. To reduce false positives you should correlate this with a mail server log such as Microsoft Exchange Server with filter on bbeagle.exe.

Netscreen

To create NIC Correlation Rules use event ID 00257 and filter for the specific word bbeagle.exe. Correlate against host logs with either a Microsoft Exchange server or Windows Servers (see the Windows Device section above).

Also, create a new report based on the Firewall Accounting table. On the Specify Report Selection Criteria window in the wizard, type the SQL where clause: LocalPort = 6777.

Note: There is a system report that displays all inbound mail. To reduce false positives you should correlate this with a mail server log such as Microsoft Exchange Server with filter on bbeagle.exe.
Legacy Article IDa36905

Attachments

    Outcomes