Bagel worm to go stale?

21 Jan 2004

Reports of a new mass-mailing worm, known as Bagel-A, are not a cause for alarm, a local computer security expert has said. The worm, first spotted in Australia earlier this week, has drawn comparisons in some quarters with last year’s virulent Sobig worm but these are wide of the mark, according to Dermot Williams, managing director of the Dublin-based security software provider Systemhouse Technology.

“At the height of Sobig, we saw very large volumes of mails during the worst of it,” he said. Systemhouse’s records showed that the company blocked “tens of thousands” of infected emails; by contrast, in the three days from Sunday to Tuesday just over 4,000 copies of Bagle-A were blocked.

According to the antivirus provider Sophos, W32/Bagle-A is a worm that sends itself to addresses harvested from files on the hard disk. The worm spoofs the ‘From’ field in emails it sends, which means that it may appear to have come from someone that the user may know.

Systemhouse has been monitoring the spread of the worm since Sunday but its threat has not been deemed sufficient to send specific alerts to customers. “We can issue SMS and email to customers, but we’re very careful about when we press the button. We don’t want to be the boy who cried wolf.”

Each month brings hundreds of mass-mailing worms and Bagel-A appears to be nothing out of the ordinary in terms of the email traffic it generates, Williams told “We have not even issued a customer alert,” he said. “It is not a cause for alarm.”

Despite Bagel-A’s apparent lack of severity, companies should not be complacent, Williams pointed out. “The most effective step is not to allow executable attachments into your email system. Very few organisations need to allow this kind of file in.” The user groups most at risk from this kind of mass-mailing worm are home users and small businesses.

This may not be the last we hear of Bagel-A however; early reports have suggested that it may be the first of a series of similar email worms based on a similar recipe. “My understanding is that there is an expiry date built in and it may become one of those worms that you see variations of,” said Williams.

Several antivirus software providers, including McAfee and Trend Micro, have classified the worm as ‘medium risk”.

By Gordon Smith