Worm Burrows Through The Internet

Giving proof to the gullibility of Internet users, a worm that at least one security analyst describes as "nothing special" stormed across the Internet over the weekend, and continued to cause enough concern among anti-virus vendors Tuesday to retain higher-than-usual alert levels.Dubbed Beagle by some, Bagel by others, the worm first appeared in the Pacific/Asia theater, hitting Australia hard and spreading to Europe before making the rounds through businesses and consumers in the United States.

Like other worms, Beagle/Bagel is delivered as a file attachment to an e-mail message. Using an unsophisticated subject heading of simply 'Hi,' with message text that consists primarily of random characters, and with a randomly-named executable as the attached file, the worm uses crude techniques. But that doesn't mean it hasn't been successful.

MessageLabs, a U.K.-based security and e-mail filtering firm, has intercepted nearly 150,000 instances of the worm since it debuted on Sunday.

"What's interesting about Beagle/Bagel is that its social engineering isn't anything special," said Vinny Gullotto, vice president of Network Associates' AVERT security and threat analysis team. "And most of what we've seen in the worm has been borrowed from others." Even so, users worldwide have been duped.

Ken Dunham, the director of malicious code at iDefense, made much the same point. "There's nothing particularly enticing about the message sent out by Bagel, yet is spreads with very good success. It appears that being brief and saying little, even if the content is vague and scarce, is a highly effective method for spreading malicious code."Beagle/Bagel tries to mask its infection, noted Dunham, by opening the Windows calculator (the file 'calc.exe,' which is present on every Windows system). "Bagel does a great job of hiding the infection by loading calc.exe when executed. It even has the calculator icon for the file it creates in the Windows System directory, bbeagle.exe. The average user will think it's a simple calculator icon and think nothing of it."

According to analysis done by security experts, including Dunham and Gullotto's team at Network Associates, Beagle/Bagel also opens TCP port 6777 on compromised machines. That port, said analysts, could then be used by the remote hacker to execute commands on the machine or download additional malicious code to the system. Symantec's DeepSight Threat Management network -- a global system of network sensors the company uses to keep tabs on malicious code effects -- has reported a surge in activity associated with that port, due to Beagle/Bagel's spread.

Security firms have also reported that some users have been infected by the backdoor 'Mitglieder' Trojan horse, which Beagle/Bagel tries to download. Symantec, for example, warned its customers that the worm's code includes instructions to download a script from any of 36 URLs; that script "directs the compromised system to download and execute Trojan.Mitglieder," Symantec said in an e-mail alert.

Other than the potential for opening a system to remote attack -- or adding it to the worm creator's network of compromised proxies -- Beagle/Bagel's impact stems from its ability to propagate by harvesting e-mail addresses on target machines, then re-sending itself to those recipients. That may clog some service's and company's e-mail servers, said Dunham.

But Gullotto is convinced the worst is past on this one. "Since we first saw it debut on Sunday, it's shown a decrease [in prevalence] overnight. I think it's plateaued. We may see a small bump, but I expect that by Friday it will have run its course."MessageLabs' stats bear that out. Although more than 120,000 copies of the worm were detected Monday, as of mid-morning Tuesday, MessageLabs had only filtered an additional 20,000 copies.

Even so, anti-virus vendors have been updating their warnings to users; most currently tag Beagle/Bagel as a significant threat. Symantec, for instance, lists it as a '3' in its 1 through 5 scale (and upped it from a '2' on Monday), while Network Associates ranks it as a 'Medium' threat.

While some analysts have compared Beagle/Bagel to Sobig -- in part because this new worm, like Sobig, has a self-programmed shut off date after which it won't reproduce -- Gullotto pooh-poohed the idea.

"It's not even close in comparison to Sobig," he said, "not even to MiMail." Sobig and MiMail, two of the most persistent worms in the latter half of 2003, have infected magnitudes more users, said Gullotto, and pose a much greater danger. MiMail, for instance, has circulated in more than a dozen variations, all of which attempt to trick users into divulging financial information, such as credit card account numbers.

Computers infected with the Beagle/Bagel worm -- one sign is the presence of the file 'bbeagle.exe' in the WINDOWS SYSTEM directory -- can be cleansed with any of the several removal tools posted on security vendor Web sites. Symantec offers one here, for instance, while F-Secure has posted a similar utility here.Beagle/Bagel is hard-coded to stop propagating on Jan. 28, but because it reads the infected system's internal clock -- rather than pinging an Internet server -- machines with incorrectly-set clocks may still spread the worm after that date.