Bagle worm unleashed
- 19 January, 2004 17:34
A new mass mailing worm which is already being billed as 2004's version of SoBig has started spreading across the Internet.
The virus, known as Bagle.A, was first detected on Tuesday morning AEST. Antivirus firms have rated the virus a medium threat.
The virus comes to people's mailbox with the subject line saying 'Hi' and body text saying 'Test'. This is followed by the attachment which uses the .exe file extension along with randomly generated characters.
The virus avoids detection by cleverly associating the exe with a calculator icon. When executed, Bagle.A copies itself to the %System% directory as bbeagle.exe.
Users have been urged to exercise caution. "There is no rhyme or reason to open the e-mail. It is just pure curiosity," said Daniel Zatz, Computer Associates security consultant.
According to Zatz, Bagle.A spreads via e-mail using its own SMTP engine. It generates a list of addresses to send itself to by searching for .wab, .txt, .htm, and .html files on a user’s computer.
An interesting feature is that the worm avoids high profile e-mail addresses such as those ending with @hotmail.com, @msn.com and @microsoft. Zatz said he presumed this was to avoid quick detection.
Bagle.A has a drop dead date of 28 January, which means the worm will not execute after 28 January.
Zatz said this feature was similar to last year's SoBig worm. "We are concerned we may see another SoBig," he said. "Every time the [SoBig] drop dead date came out a new variant was released."
This concern is largely attributed to a feature of the worm. It has been unsuccessfully written so that, when executed, it attempts opens port 6777 to give hackers unauthorised access to a PC. Although this backdoor function does not work, the fear is that a future version may get it right, Zatz said.
Fixes for the virus are available for download from leading AV sites.