The new Bagle worm appears to have spread in SA during the past day, affecting mostly small businesses and home users. ITWeb readers reported multiple infections in small offices, home PCs and at least one academic institution yesterday. However, the infection rate is still far lower in SA than it is overseas.
The worm arrives in an e-mail from random senders and carries the subject line "Hi" and the signature "Test, yep". The name of the attachment is also varied.
IT administrators describe the worm as "clever" in that it pretends to be a "techie" test e-mail and often comes from an address the user knows, fooling them into running the attachment.
The worm is capable of harvesting millions of e-mail addresses and turning infected PCs into "spam machines". It has spread throughout Europe and Asia, reaching the US and SA on Monday and Tuesday.
"When the worm is started, it connects to a list of predefined Web servers and tries to access a PHP file with certain parameters," says Ryan Price, CEO of Y3K. "One of the parameters is the TCP port where the backdoor is listening, which suggests that this functionality is used to collect the addresses of infected computers.
"Each infected machine goes through the list of 35 servers (this might take a while if there are timeouts). Then it sleeps for 10 minutes and restarts.
"We`ve been parsing the httpd access-logs we got from one of the affected Web sites. So far there have been 5.2 million hits to the Web site, which is just one of the 35 Web sites which are attacked simultaneously. According to their traffic, most of the machines that connected to them were in Canada - around 12 200 with an estimated 793 065 hits. In the US, we saw 9 992 machines, estimated at 590 590 hits, and SA was way down the list, with 135, so far estimated at 8 775 hits."
Brett Myroff, CEO of local Sophos distributor Netxactics, says the company`s gateway stopped an infected e-mail as early as Monday, but that none of its corporate clients have reported infections. "I think infections and propagation will be from the home and small business sector rather than the corporate sector, as home users and small companies are not so rigorous about keeping their anti-virus up-to-date," Myroff says.
Security software maker Kaspersky Labs says the global outbreak of I-Worm.Bagle is "significant". Other anti-virus firms reiterate that the worm is modelled on the recent Mimail and Sobig worms, which also appeared to have been written by spammers.
Related story:
Few Bagle worm reports in SA
Share
