Another Bagle Variant Tears up the Internet

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Yet another variant from the virulent Bagle family of worms is rampagingacross the Internet.

After only 24 hours in the wild, Bagle-AU has taken the ninth spot inthe list of most prolific viruses, according to analysts at Sophos,Inc., an anti-virus and anti-spam company based in Lynnfield, Mass.Carole Theriault, a security consultant with Sophos, says the dangerbehind Bagle-AU lies in its ability to propagate, overwhelming corporateemail servers.

Several new Bagle variants have hit the wild in the past few days andthey are strikingly similar in nature and content. Because of theirsimilarities, Sophos has labeled all of the latest variants as Bagle-AU.However, different anti-virus vendors have given the malware differentnames. The variant also is known as Bagle-BC, Bagle-AT and Bagle-AS.

''Dozens of Bagle variants have been plaguing users since the first onewas spotted in January of this year, and unfortunately, they continue towreak havoc on unprotected users,'' says Gregg Mastoras, senior securityanalyst at Sophos. ''This variant has been observed in force withincompanies around the globe, and has the ability to significantly impairemail systems if it reaches a critical mass.''

The new variant spreads via email messages and attachments, as well asthrough network shares. The worm attempts to email itself to addressesharvested from the infected machine, as well as copying itself tofile-sharing folders. Analysts at MessageLabs Inc., an anti-viruscompany, report that in an additional attempt to propagate, the newvariant will install a remote access component on TCP port 81 andattempt to download files from a website.

The spoofed subject header will contain greetings such as ''Hello'',''Thank you!'' and ''Thanks :-)'', and the viruses spread when emailattachments named ''price'', ''Price'' or ''Joke'' are opened, accordingto MessageLabs.

The worm copies itself to the Windows system directory and opens TCPPort 81 as a means for remote access to the compromised machine, notesMessageLabs. Once installed on a user's machine, it attempts toterminate a number of running security-related processes on the machine.

Anti-virus company Panda Software reports that the worm is spreadingrapidly across the world, gaining speed just a few hours after it firstappeared. The number of incidents caused by this worm is expected tocontinue increasing and new variants are expected to emerge over thenext few hours, reports Panda analysts, who have issued a Red VirusAlert for the bug.

''I suspect that this could be a significant problem,'' says Sophos'Theriault. ''We'll have to wait till Monday to see what happens... Overthe weekend the virus will land in all those corporate inboxes. We'llsee what happens when they get to work and turn on their computers. Ifthey have protection in place, it won't hurt anybody. But if protectionis not in place, it will take off.''

Submit a Comment

Loading Comments...