Sectors
Companies
About
Subscribe

Another week, another worm

By Tracy Burrows, ITWeb contributor.
Johannesburg, 01 Mar 2004

Five new variants of the Bagle Internet worm have been spreading fast around the world since Friday.

Anti-virus software vendors warn that Bagle.C, D, E, F and G are spreading fast in e-mail with a spoofed sender address, a variety of convincing subject lines and an attachment that appears to be a zipped Excel file.

The first variant in the latest infestation, Bagle.C, was discovered on Friday. It is bundled with its own SMTP engine to create and send mass e-mails. Once it has infected a computer, it activates notepad.exe and extracts e-mail target information from "WAB, TXT, HTM, HTML, DBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, ADB, SHT". It then modifies the registry and opens TCP/2745 to be remotely controlled by an outsider as a backdoor.

Ryan Price, CEO of local F-Secure distributor Y3K, says Bagle.C is programmed to stop spreading after 14 March. "The backdoor provides full remote access to the infected computer. It can be used to download and execute arbitrary programs from the Internet."

Bagle.D, which was found roughly 12 hours after Bagle.C was discovered, has minor modifications. Price says this could be an attempt to avoid detection by some anti-virus programs.

Bagle.E was found in the wild on Sunday. This variant uses its own SMTP engine to construct outgoing messages and contains a remote access component. It uses modified file names and sizes from Bagle.C.

Brett Myroff, CEO of local Sophos distributor Netxactics, says Bagle.F and Bagle.G surfaced shortly after Bagle.E, with more minor modifications.

Among the subject lines in use are:

* Accounts department

* Ahtung!

* Camila

* Daily activity report

* Flayers among us

* Freedom for everyone

* From Hair-cutter

* From me

* Greet the day

* Hardware devices price-list

* Hello my friend

* Hi!

* Jenny

* Jessica

* Looking for the report

* Maria

* Melissa

* Monthly incomings summary

* New Price-list

* Price

* Price list

* Pricelist

* Price-list

* Proclivity to servitude

* Registration confirmation

* The account

* The employee

* The summary

* USA government abolishes the capital punishment

* Weekly activity report

* Well...

* You are dismissed

* You really love me? he he

Share