It’s Bagle Day, Again

Anti-virus firms have raised the alarm after spotting three new
strains of the Bagle virus rapidly spreading through e-mail inboxes.

Almost a year after the virus was first
, research firm F-Secure increased the threat level on the worm, which arrives with three .EXE files attached — Price.exe,
Joke.exe and RunMe.exe.

“The interesting thing about the latest variants is that they modify themselves before spreading: they search for applications on a hard disk and “borrow” their icons,” F-Secure said in a note posted online.

The company said the “borrowed” icons are then attached to Bagle’s files together with some garbage data (used as a decoy) before being mailed out. “You might see Bagle variants with quite interesting icons,” F-Secure said.

One of the new strain, Bagle.AT, is a mass-mailing worm with
peer-to-peer spreading capabilities. In e-mail environments, Bagle.AT spreads using different subjects, e-mail bodies and attachments.

F-Secure said the worm has a password-protected backdoor that listens on port 81. “The worm author who knows the password can connect to the computer and execute arbitrary programs. Infected computers are reported to the worm’s author by accessing several predefined URLs,” the company warned.

Bagle.AT is also capable of spreading to shared folders of
peer-to-peer clients.

Anti-virus specialist Sophos also released an advisory
with a warning the new variant is capable of significantly impairing
e-mail systems if it reaches a critical mass.

“Companies without an automatically updating virus protection in
place are at risk for a communications failure and should ensure that
their anti-virus is up-to-date immediately,” Sophos said.

Advisories have also been issued by Symantec and McAfee.

In March this year, a batch of Bagle variants were released in the
wild and effectively disrupted
corporate network traffic for several days.

The source code for the virus was also released on the Internet.

News Around the Web