Another Bagle Variant Tears up the Internet

Download the authoritative guide: Cloud Computing 2018: Using the Cloud to Transform Your Business

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Yet another variant from the virulent Bagle family of worms is rampaging across the Internet.

After only 24 hours in the wild, Bagle-AU has taken the ninth spot in the list of most prolific viruses, according to analysts at Sophos, Inc., an anti-virus and anti-spam company based in Lynnfield, Mass. Carole Theriault, a security consultant with Sophos, says the danger behind Bagle-AU lies in its ability to propagate, overwhelming corporate email servers.

Several new Bagle variants have hit the wild in the past few days and they are strikingly similar in nature and content. Because of their similarities, Sophos has labeled all of the latest variants as Bagle-AU. However, different anti-virus vendors have given the malware different names. The variant also is known as Bagle-BC, Bagle-AT and Bagle-AS.

''Dozens of Bagle variants have been plaguing users since the first one was spotted in January of this year, and unfortunately, they continue to wreak havoc on unprotected users,'' says Gregg Mastoras, senior security analyst at Sophos. ''This variant has been observed in force within companies around the globe, and has the ability to significantly impair email systems if it reaches a critical mass.''

The new variant spreads via email messages and attachments, as well as through network shares. The worm attempts to email itself to addresses harvested from the infected machine, as well as copying itself to file-sharing folders. Analysts at MessageLabs Inc., an anti-virus company, report that in an additional attempt to propagate, the new variant will install a remote access component on TCP port 81 and attempt to download files from a website.

The spoofed subject header will contain greetings such as ''Hello'', ''Thank you!'' and ''Thanks :-)'', and the viruses spread when email attachments named ''price'', ''Price'' or ''Joke'' are opened, according to MessageLabs.

The worm copies itself to the Windows system directory and opens TCP Port 81 as a means for remote access to the compromised machine, notes MessageLabs. Once installed on a user's machine, it attempts to terminate a number of running security-related processes on the machine.

Anti-virus company Panda Software reports that the worm is spreading rapidly across the world, gaining speed just a few hours after it first appeared. The number of incidents caused by this worm is expected to continue increasing and new variants are expected to emerge over the next few hours, reports Panda analysts, who have issued a Red Virus Alert for the bug.

''I suspect that this could be a significant problem,'' says Sophos' Theriault. ''We'll have to wait till Monday to see what happens... Over the weekend the virus will land in all those corporate inboxes. We'll see what happens when they get to work and turn on their computers. If they have protection in place, it won't hurt anybody. But if protection is not in place, it will take off.''

Submit a Comment

Loading Comments...