Yet another variant from the virulent Bagle family of worms is rampaging
across the Internet.
After only 24 hours in the wild, Bagle-AU has taken the ninth spot in
the list of most prolific viruses, according to analysts at Sophos,
Inc., an anti-virus and anti-spam company based in Lynnfield, Mass.
Carole Theriault, a security consultant with Sophos, says the danger
behind Bagle-AU lies in its ability to propagate, overwhelming corporate
email servers.
Several new Bagle variants have hit the wild in the past few days and
they are strikingly similar in nature and content. Because of their
similarities, Sophos has labeled all of the latest variants as Bagle-AU.
However, different anti-virus vendors have given the malware different
names. The variant also is known as Bagle-BC, Bagle-AT and Bagle-AS.
”Dozens of Bagle variants have been plaguing users since the first one
was spotted in January of this year, and unfortunately, they continue to
wreak havoc on unprotected users,” says Gregg Mastoras, senior security
analyst at Sophos. ”This variant has been observed in force within
companies around the globe, and has the ability to significantly impair
email systems if it reaches a critical mass.”
The new variant spreads via email messages and attachments, as well as
through network shares. The worm attempts to email itself to addresses
harvested from the infected machine, as well as copying itself to
file-sharing folders. Analysts at MessageLabs Inc., an anti-virus
company, report that in an additional attempt to propagate, the new
variant will install a remote access component on TCP port 81 and
attempt to download files from a website.
The spoofed subject header will contain greetings such as ”Hello”,
”Thank you!” and ”Thanks :-)”, and the viruses spread when email
attachments named ”price”, ”Price” or ”Joke” are opened, according
to MessageLabs.
The worm copies itself to the Windows system directory and opens TCP
Port 81 as a means for remote access to the compromised machine, notes
MessageLabs. Once installed on a user’s machine, it attempts to
terminate a number of running security-related processes on the machine.
Anti-virus company Panda Software reports that the worm is spreading
rapidly across the world, gaining speed just a few hours after it first
appeared. The number of incidents caused by this worm is expected to
continue increasing and new variants are expected to emerge over the
next few hours, reports Panda analysts, who have issued a Red Virus
Alert for the bug.
”I suspect that this could be a significant problem,” says Sophos’
Theriault. ”We’ll have to wait till Monday to see what happens… Over
the weekend the virus will land in all those corporate inboxes. We’ll
see what happens when they get to work and turn on their computers. If
they have protection in place, it won’t hurt anybody. But if protection
is not in place, it will take off.”