Bagle’s return could leave a sour taste

3 Nov 2004

Two new versions of long-time worm variant Bagle were discovered recently. US security firm MessageLabs intercepted copies of both and designated them as polymorphic multi-stage viruses. Bagle.BA and Bagle.BB, spread via mass mailing, copy themselves to folders commonly used by peer-to-peer applications in an additional attempt to propagate, install a component on TCP port 81 (used by the PC for remote access) and attempt to download files from a website.

According to MessageLabs, both harvest email addresses found in local files and use those addresses in the ‘from’ field of the message to send themselves. That way, recipients receive an email that appears to come from a genuine sender such as a work colleague, friend or family member.

As usual, the worm’s payload is contained in an attachment and is launched if the recipient clicks on it. Though it is largely indistinguishable from its ‘brother’, Bagle.BB differs in one respect in that it attempts to terminate copies of the Netsky virus. Variants of Bagle have been in the wild since January of this year.

Meanwhile, in other security news, last month saw a massive jump in the rate of virus infection in Irish emails, with 18.9pc of messages found to contain malicious code, up from previously stable levels of under 10pc.

The news was leavened somewhat by a drop in the proportion of spam mails in circulation, although this was nonetheless high at 30.7pc.

The latest monthly statistics collated by IE Internet, the Dublin-based email and hosting provider, showed that Zafi.B was by some distance the most frequently occurring virus, found in more than half of all the infected messages tracked during October. Variants of

Netsky, a virus originally spotted more than six months ago, comprise the remaining top five recorded attackers.

The spike in virus numbers actually caused IE Internet to double check its figures, which it verified as accurate. Ken O’Driscoll, technical manager with IE Internet, explains: “I can only attribute Zafi’s jump from 35.91pc to 53.03pc to the fact that people aren’t keeping their antivirus software updated. Zafi.B spreads by both email and file sharing. Also, every month more people are going online and starting to use email for the first time, which means there are higher volumes of email and more people potentially vulnerable to virus infection.”

Zafi.B is smart enough to disable certain Windows desktop antivirus packages, O’Driscoll adds. The new Microsoft Windows XP service pack, however, includes the Microsoft Security Centre that does a lot to prevent rogue programs from disabling security software. “Microsoft gives this service pack away for free but it looks like people aren’t applying it,” observes O’Driscoll.
He attributes the slowdown in spam — it had been as high as 35.12pc one month previously — to several possible factors. “The most likely is that a large zombie network was discovered and shut down,” he says.

Zombie network is the term given to a large network of computers that are infected with viruses, allowing the virus creator to use them as open relays for sending spam. He adds that virus writers and spammers are not always one and the same person; more commonly they simply have a mutually beneficial business arrangement.

By Gordon Smith