New Bagle spreads with old recipe

16 Jul 2004

A new version of Bagle has been discovered, sending emails with infected attachments like the variants that preceded it.

t is believed that the worm may have been created using source code contained in a previous worm. Most commonly called Bagle-AF but also known as W32/ or W32.Beagle.AB@mm, the worm propagates via infected emails. According to the Finnish security software provider F-Secure, attachments with the emails are sometimes encrypted with the .ZIP compression tool. The password may also be contained in an image attached to the email.

As with many current worms, Bagle-AF spoofs the ‘from’ field in the email it arrives with, to try and fool users into thinking the message comes from a trustworthy source or someone they may know.

The worm stops other security applications from running by trying to remove registry run entries for several security and anti-virus related products. It also has a backdoor that listens to port 1080. The backdoor code is encrypted with a password. The worm author who knows the password can connect to a compromised computer and execute arbitrary programs – for example, to launch a denial of service attack or relay spam email. In addition, the worm has a downloader feature that attempts to download and run a file from one of several web pages based in Germany.

The worm affects the following operating systems: Windows 2000, 95, 98, Me, NT and XP. Computers running DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 3.x are not affected however.

Security providers consider the worm to be a medium risk threat. Symantec has suggested that the damage from the worm may not be all that widespread, although on its website it cautioned that in the event of mass-mailing, it could clog mail servers or degrade network performance.

Continuing a trend seen earlier this year which saw virus writers try to outdo each other, Bagle-AF’s presence on a user’s system actually prevents certain versions of the Netsky worm from infecting that computer. Neither worm should be regarded as benign though. Users should nonetheless keep their anti-virus software up to date and be extremely wary of opening suspect emails.

By Gordon Smith