Riding on Open Code, Bagle Worm Returns

The Bagle worm is rearing its head again, back for another crack at the unprotected masses.

Security firms such as McAfee, Sophos, Symantec, F-secure, PandaLabs, TrendMicro and Kaspersky Labs are all reporting on the emergence of new Bagle virus variants that are proliferating in the wild.

There are likely two different variants that are new, experts said, though each respective security firm uses its own naming convention so the actual number of newly named variants across the different firms is greater. The latest variants have been labeled the Bagle.BJ virus (McAfee), W32/[email protected] (McAfee and PandaLabs) Bagle.AY (F-Secure and Sophos), [email protected] (Symantec), Win32.Bagle.ax (Kaspersky),WORM_BAGLE.AZ (Trend Micro), Win32.Bagle.AU (Computer Associates) and Bagle.BL (PandaLabs).

Many security firms have raised the threat level for the variants from moderate to severe or critical, as more instances of the rapidly spreading worm are reported. As is typical with variants of the Bagle family of worms, the polymorphic malicious code reaches user inboxes via a spoofed sender e-mail address, with a random subject line taken from a long list of choices and with random message content.

Like its siblings, the new Bagle variants all include their own SMTP , meaning they can send e-mail directly. The e-mail addresses are harvested from the user’s local machine. And, as is the usual drill, the pesky snippets attempt to disable firewalls and anti-virus software.

The Bagle worm contains a Trojan backdoor that allows a remote user to execute arbitrary code on the infected PC, which turns the computer into what is referred to as a Zombie. The new Zombie notifies the worm’s author by accessing one of several predefined URLs. The Zombie itself is accessed via an encrypted password that has been embedded in the worm by the worm’s author.

In addition to having its payload distributed via an e-mail attachment, the latest variants are also proliferating via P2P applications as well. Instead of random subject names for e-mail, the polymorphic worm creates random file names of popular applications (i.e.. Adobe Photoshop etc) as a lure to hook users into downloading and running them.

Bagle has been one of the most persistent worms in existence since it first showed up in January of last year.

In July of 2004, the source code for Bagle found its way onto the Internet, which essentially ensured that its legacy would be long lived. This has led to new strains based on the source code. The worm’s cousin, MyDoom, became one of the most destructive viruses after following a similar path among virus-writers that used the source code.

Ken Dunham, director of malicious code at security firm iDefense, noted that the source code for both Bagle and MyDoom worms are now in the hands of many attackers. As a result, he said he expects to see many new creations arise from these two traditional e-mail worm families.

“For example, Bofra is actually about 50 percent MyDoom code and 50 percent new code, released late last year,” Dunham told internetnews.com. “An attacker heavily edited the code, copied and pasted, etc, to then create a very new creation with a new iFRAME exploit.”

Worms, which require some form of user-interaction (i.e. clicking on an attachment) have become more successful in the past 12 months, Dunham added. A lack of safe computing practices among new computer users tends to be the main culprit. But that so much source code is floating around doesn’t help, he added.

“With more highly skilled attackers and more source code and tools than ever before, we are posed for a busy 2005 malicious code year,” Dunham warned.

News Around the Web