Newest Bagle On The Loose

Another variation of the long-running Bagle worm began spreading early Friday, bumping up warning levels from most security firms to their highest levels in over a month. Although three different versions of Bagle were launched almost simultaneously, one, dubbed Bagle.av, Bagle.at, Bagle.au, or Bagle.bb, is spreading the fastest.

"It started showing up around 2 a.m. today Eastern time," said Stefana Ribaudo, the product manager for Computer Associates eTrust security program, "and first spread in Europe. When U.S. offices opened between 8 and 9, it really took off."

Computer Associates, for instance received 100 submissions of the new Bagle within an hour, while it went straight to the top of F-Secure's list of the most common viruses during the past 24 hours. U.K.-based security vendor BlackSpider noted that more than a million e-mails carrying the new Bagle had been sent as of early Friday morning, London time. It's not uncommon for worms and viruses to be seeded in large spam-style mailings, often with the help of large networks of hijacked PCs where each machine mails just a few messages to escape detection.

Whatever it's named -- Bagles have proliferated to such a degree that there's no longer a common naming system among anti-virus vendors -- the worm is relatively easy to spot, say analysts. The subject line is typically "Re: Hello," "Re: Hi," or "Re: Thank you!" The worm is disguised as a .exe, .scr, .com, or .cpl file named "Price" or "Joke."

Like earlier Bagles, this one spreads by grabbing e-mail addresses from compromised machines and remailing itself with its own SMTP server. It also spreads via shared network folders.The Bagle tries to disable a number of anti-virus programs and personal firewalls and attempts to delete and copies of the rival Netsky worm it finds. Once in place, it listens in on port 81 for incoming commands from its hacker master, and tries to download a file from a long list of hacker or compromised sites. Such characteristics usually mean that the worm's author will try to load additional software onto infected PCs, like Trojan horses or other backdoor components so he can control the machine remotely and add it to his bot list of slave systems.

This version, however, also has some new tricks up its sleeve.

It can, for instance, modify itself before re-mailing to the next victim, a tactic used to throw off both users and anti-virus signatures. It searches for applications on a hard drive and "borrows" icons, which are then combined with some garbage data as a decoy.

This Bagle also tries to disable the Security Center service (named "wscsvc") in Windows XP Service Pack 2, Microsoft's newest operating system update. SP2's Security Center is a dashboard-like display that keeps track of the status of anti-virus and firewall defenses. If Bagle manages to shut down such protections on the compromised PC, for instance, and also disables the center, users won't be aware (or receive alerts) that there's anything amiss.

Even so, the new Bagle isn't reason for panic, said one analyst. "Although [it] appears to be spreading fairly rapidly, impacting both consumer and enterprise users, there's nothing to indicate that this threat is significantly different from previous variants," said Vincent Weafer, the senior director for Symantec's security response team.Most anti-virus firms have tagged the new Bagle as a medium-level threat. Symantec, for example, pegged it as a "3" in its 1 through 5 scale, while McAfee, Computer Associates, and Trend Micro bumped it up to "Medium" after its numbers climbed.

"It's not unusual for hackers to release worms very early in the morning and later in the week," said CA's Ribaudo. "That gives time for the worm to be seeded before people get to the office and start opening mail. And later in the week and on the weekend is when fewer [IT] people are around," she said.