A new variant of the infamous Bagle worm is causing indigestion from Asia and Europe to the United States since its appearance October 29, though thus far it has done little more than fill up people’s e-mail accounts with little apparent damage yet, according to several security firms—even though it was believed capable of “smoking out” and eluding standard antivirus defenses.
MessageLabs said the new Bagle compares in terms of size to MyDoom and appeared in about 900,000 e-mails the company screened. The new variant, known as Bagle.BB or Bagle.BC, may have been spotted first by Panda Software, which said just hours later it became one of the top-ranked viruses by Panda’s online scanners, and the company braced for a fast rise in new Bagle-tied incidents.
"This has prompted Panda Software to declare a Red Virus Alert as a preventive measure,” the company said in a statement October 29, “so that all users can protect themselves against these worms and prevent their computers from being infected."
Two more variants, Bagle.BD and Bagle.BE, appeared within hours, spreading as the parent bug has by way of e-mail and peer-to-peer file swaps.
But some other security analysts are saying, too, that these new Bagles have specific challenges within them. Computer Associates International security manager Stefana Ribaudo told CNET.Asia that the new Bagle try blocking the Netsky virus on user machines, suggesting the new Bagle’s writers had ideas about retaliating against Netsky, not unreasonable considering an apparent trend of the authors taunting each other in their bugs’ codes until Netsky’s mastermind was arrested.
“The worm creates several MUTEXes with names that are used by NetSky worm,” said Finnish security company F-Secure, which calls the new Bagle group Bagle.AT. “So certain versions of NetSky will not infect a system where the Bagle.AT worm is active.”
The new Bagles harvest e-mail addresses from infected computers’ local files and use them in the “from” field to send itself around, sending recipients fake e-mails with spoofed sender addresses that could look like they came from friends, family, or colleagues, according to security company McAfee.
The new bugs come as attachment files called anything from “price” to “Price” or “Joke,” McAfee added. But releasing the attachments lets the bug copy itself into the Windows system director, where the harvest begins through opening TCP port 81, McAfee said.
McAfee is also offering non-McAfee customers a free remedy known as Stinger to clean out the new Bagle.
