A new e-mail worm, Bagle-A, which harvests e-mail addresses and creates a back door into users` computers, is spreading fast across Europe and Asia. However, few local infections have been reported.
Brett Myroff, CEO of Netxactics, says the Bagle-A worm (also known as Beagle) arrives as an e-mail message with the subject "Hi" and has "test" in the body of the e-mail. The worm appears as a program attachment with a random name.
This file, which pretends to be the Windows calculator, opens a security hole in the infected user`s computer, which can be exploited by hackers.
"The worm pretends to be a 'techie-looking` test e-mail and often comes from an address the user knows, fooling them into running the dangerous attachment - not knowing they are potentially giving hackers the power to run destructive code on their computer," says Myroff.
Once the worm has opened the Windows calculator, it creates a copy of itself in the Windows system directory as bbeagle.exe, showing up with the calculator icon, he says.
Christopher Bray, Network Associates` regional director of sub-Saharan Africa, says the Bagle worm is an Internet mass mailer that harvests addresses from local .wab, .txt and .htm, and avoids e-mail addresses containing the strings: @avp, @hotmail.com, @microsoft and @msn.com.
"Once the worm has harvested the addresses in both the from and to fields, it sends itself out using its own SMTP engine. The worm then tries to notify the virus author of its readiness to accept commands by contacting various Web sites and calling a script located on the remote site," he says.
Although neither Symantec nor Netxactics have any reports of the worm reaching SA, some ITWeb readers report having received the worm. Ken Dunham, director of malicious code at iDefense, says over 50 000 interceptions have been noted worldwide from various sources.
"Bagel started gaining significant ground in the wild as the work week resumed in Asia. Bagel appears to have gained the most ground initially in Europe, where it was first detected with the greatest prevalence."
Dunham says the worm ceases to propagate from computers with a system date of 28 January 2004 or later.
Related story:
New e-mail virus surfaces
Share
