After only being in the wild for three days, the Bagle-AI variant has cracked the Top Five list of Most Dangerous Malware.
Bagle-AI, which was first captured on July 19, has spread rapidly across the Internet. Analysts from anti-virus company MessageLabs, Inc. report that they intercepted 15,000 copies of the virus within the first 45 minutes of its initial detection.
The variant was first spotted in the United Kingdom.
”It did have a big initial impact,” says Steve Sundermeier, a vice president at Central Command, an anti-virus company based in Medina, Ohio. ”We had corporations all over the world calling and inquiring about it. It required an emergency update of our anti-virus software.”
Sundermeier reports that after only its second day in the wild, Bagle-AI made up 3.7 percent of all malware in circulation. It ranks behind Netsky-P, Netsky-Q, Netsky-B and Netsky-Z.
Sundermeier says part of the reason that this particular Bagle variant has been so successful is due to the aggressive way it harvests email addresses. The worm searches infected machines for a longer list of extensions than most worms usually do.
Bagle.AI is a mass-mailing worm with its own SMTP engine. It also includes a remote access program. The virus is being sent with multiple attachment types, according to reports from MessageLabs. In some cases, the body of the message contains a password for attached password-protected ZIP files.
The worm also is designed to search out anti-virus and personal firewall applications and shut them down.
Bagle-AI is just one of many variants of the Bagle family of worms that have hit the Internet in the last few weeks. The flurry of releases has given new life to the Bagle worm which had been fairly dormant since late February. Central Command has logged in Bagle-AE, Bagle-AF, Bagle-AG, Bagle-AH and Bagle-AI in just the last few weeks.
The worm’s author or authors dropped the worm’s source code into two of the recently released variants, feeding other virus writers who may want to write and release their own Bagle variant.
Some security analysts speculate that the Bagle author, trying to avoid prosecution, was copying the creator of the MyDoom worm family when he released the source code. By distributing the source code to thousands or even hundreds of thousands of machines, the author could more easily try to deny responsibility for any worm code found on his machine.
But regardless of his strategy, the release of the source code could mean a run of Bagle variants is on its way.
This article was first published on eSecurityPlanet.com.