Online security experts are increasing the threat level on a
fast-spreading e-mail virus capable of allowing an attacker to upload and execute malicious code on infected computers.
The mass-mailing W32/BAGLE-A worm, also known as Bagle or Beagle,
includes a backdoor component which listens on TCP port 6777 and lets an attacker execute arbitrary programs on infected systems, anti-virus experts warned on Tuesday.
MessageLabs described the Bagle virus as “high risk” while Network
has assigned a “medium risk” assessment.
The virus, first quarantined in Germany, has been spotted in 138
countries with the highest distributions in Europe and Asia. Because of the long holiday weekend, distribution in the U.S. has been low.
The Bagle virus arrives as a .EXE attachment with a random name and with
the word “hi” in the subject line. If an unsuspecting user executes the
attachment, the worm copies itself to the Windows system folder with
instructions to run at logon.
Upon execution, the Bagle virus uses its own SMTP
send itself to addresses harvested from files on the hard disk and spoofs
the “From” field in e-mails it sends.
According to a Network Associates alert, the worm contains a potentially
dangerous remote access component which listens on TCP port 6777 for remote
connections. “It tries to notify the virus author of its readiness to accept
commands by contacting various websites and calling a script located on the
remote site,” the company warned.
The company warned that home users are at higher risk of infection.
Network Associates and Sophos have posted disinfection instructions,
available here and here.
According to Sophos senior security analyst Chris Belthoff, home users were at a higher risk of infection because most enterprises are blocking .EXE attachments at the gateway. But, as with the destructive SoBig virus, workers at home offices who connect remotely to an enterprise network represent a danger.
“This virus can sneak into an enterprise environment through the home workers because it grabs all e-mail addresses to mail itself to. In many cases, it’s a work-related address book that puts the attachment inside the network,” Belthoff told internetnews.com.
He believes the virus is the work of a sophisticated spam network looking to take over computers and use them as spam zombies. “Eventually, mail server capabilities could be downloaded to infected machines. Once that backdoor is active, any type of code can be loaded on an infected machine.”