A new variant of the Bagle worm that turns off antivirus and personal firewalls is likely to spread rapidly, warn antivirus experts. Organizations blocking the .exe, .scr, .com and .cpl extensions significantly reduce their risk of infection to this worm, as well as many others.
W32/Bagle-AS@mm spreads via e-mail and peer-to-peer networks, and has a spoofed address and variable subject lines. The worm is also called Bagle-AZ (McAfee), Beagle-AR (Symantec), Worm_Bagle-AM (Trend Micro) and I-Worm.Bagle-AX (Virusbuster).
According to TruSecure Corp. in Herndon, Va., Bagle-AS communicates through backdoors on TCP port 81 and UDP port 81. McAfee Inc. in Santa Clara, Calif. said the worm opens TCP port 81 and a random UDP port on the victim machine.
McAfee lists Bagle-AS as a medium-level threat and said it's a mass-mailing threat that contains its own SMTP engine to construct outgoing messages. "Similar to previous variants, it harvests addresses from local files and then uses the harvested addresses in the from field to send itself. It contains a remote access component and copies itself to folders that have the phrase 'shar' in the name, such as common peer-to-peer applications, including KaZaA, Bearshare and Limewire," according to the McAfee advisory. The advisory also said that when the .exe file is run, the worm copies itself into the Windows System directory as Bawindo.exe.
In an advisory to its clients, TruSecure, soon to be known as Cybertrust, said the timing of the worm's release was of concern. The company cited both the lapse of nearly a month since the last variant circulated widely and also noted that the Virus Bulletin conference is taking place this week, possibly indicating an opportunity for script-kiddies to take advantage of the absence of many antivirus experts from their offices.