New Bagle variants spreading
It's the worm that will not die
By Grant Gross, IDG News Service | Published: 09:34, 01 June 2005
Security firms have warned that several new versions of the Bagle e-mail worm are spreading quickly on the Internet.
MessageLabs, which monitors 110 million pieces of e-mail sent per day, found about 145,000 copies of just one of the new Bagle downloader variants, said Maksym Schipka, a senior anti-virus researcher at MessageLabs.
About 80 variants of the original Bagle worm, which first appeared in January 2004, have been released on the Internet. The first Bagle downloader variant MessageLabs tracked drops a Trojan horse that attempts to download Bagle from a list of about 130 websites worldwide. Computer users who activate the file attached in the e-mail activate the virus, which harvests e-mail addresses it finds on the computer's hard drive. The virus then forwards itself onto the list of e-mail addresses on the infected computer.
In the first variant, found on Tuesday, the e-mail carrying the Bagle worm had an empty subject line and body text, MessageLabs said.
The first variant appeared to start on a Yahoo webmail account, Schipka said. "Somebody wanted to refresh his botnets or e-mail addresses," Schipka said of the motivation for a new Bagle variant. "They want to keep up to date with the things they sell." Botnets are groups of compromised computers, controlled by hackers and often used in cyberattacks.
Anti-virus vendor Symantec also reported seeing at least one new Bagle variant on Tuesday, but found the worm was spreading less quickly than MessageLabs reported. Symantec noted only about 50 Bagle copies on computers with its virus-protection software installed, said Alfred Huger, senior director of engineering at Symantec Security Response. Huger expected little damage from this Bagle attack, he said.
Damage from the new Bagle variants should be minor as anti-virus vendors react quickly to the attacks, said Ken Dunham, director of malicious code at iDefense, another cybersecurity vendor. The first two variants were tentatively dubbed Bagle.CA and Bagle.CB, which would make them the 79th and 80th Bagle variants.
"We're a long way down the line of Bagle worms," Dunham said. "It's very similar to former Bagle attacks."
Dunham encouraged computer users to update their anti-virus software, use firewalls and avoid opening suspicious files attached to e-mail. "Just because it looks like it was from your billing department, or it was from your friend, or it was porno, doesn't mean it is," he said. "Be careful on e-mail - don't trust anything."