By Monday morning, the latest Bagle attack seemed to be slowing down. But at least one antivirus firm has seen indications the worm's latest variants left behind new spam-spewing proxy servers.
"For Friday, Saturday and Sunday our scanners caught about 7,500 copies of I-Worm.Bagle.at and about 700 of Bagle.au," Olga Kobzareva, acting head of corporate communications for Russian-based Kaspersky Lab, said by e-mail Monday morning. "Saturday evening the quantity of infected mails drastically decreased and now it's not No. 1 in the statistics, so the trend is that the worm goes down."
But, she added, the firm has information "that there is already an increase of new proxy servers for spam distribution. Several thousand already are in the blacklists because there already is spam sent through them."
New variants of the prolific Bagle worm appeared in the wild Friday, prompting Cupertino, Calif.-based antivirus firm Symantec Corp. to raise its Threatcon to Level 2 and others like Panda Software of Glendale, Calif., to issue a red alert. New York-based MessageLabs said in its alert it had intercepted more than 887,000 copies by Friday night.
The latest variants are capable of disabling antivirus tools, helping attackers take remote control of vulnerable machines. Symantec Security Response identified three new variants: W32.Beagle.AV@mm, W32.Beagle.AU@mm, and W32.Beagle.AW@mm.
"Due to an increase in submission rates, Symantec has upgraded W32.Beagle.AV@mm to a Level 3 threat," Symantec Security response said in an e-mailed statement Friday afternoon. "To date, Symantec has received more than 200 submissions of this threat -- including both corporate and consumer customers worldwide. As a result of these submissions, Symantec has raised the ThreatCon from a Level 1 to a Level 2."
Panda Software of Glendale, Calif., issued a red alert for what it called Bagle-BC, saying in an advisory that "Bagle-BC… opens TCP port 81 and listens to it, waiting for remote connections, [allowing] hackers to gain remote control over the affected computer in order to carry out malicious actions that would compromise user's confidentiality or impede normal work. [It] ends processes belonging to security tools, such as antivirus programs. This leaves the affected computer vulnerable to the attack of other malware."
In a twist, it prevents certain worms, including several Netsky variants, from being executed whenever Windows is started by deleting the entries belonging to these worms from the Windows registry, Panda said.
The worm spreads by e-mail in a message with variable characteristics and through peer-to-peer file-sharing programs.
New York-based Computer Associates Inc. called one variant Bagle-AQ and said in its advisory the worm "is a PeX-packed executable that is approximately 17,000 bytes in length. However, it can also distribute itself in the form of a control panel applet."
"The worm arrives attached to an e-mail with a variable subject and message body," Computer Associates said. "The attachment also uses a variable name and extension. The 'from' address is spoofed, chosen from e-mail collected from the affected system."
Describing the characteristics of infected e-mails, the firm said possible subject lines include Re:, Re: Hello; Re: Thank you!; Re: Thanks :) and Re: Hi. Possible message bodies include :) or :)). The attachment name is chosen from the following list: Price, price and Joke. The extension can be .exe, .scr; .com or .cpl.
The worm collects addresses to send itself to or use as fake sender addresses. It searches in any files with the following extensions: .adb, .asp; .cfg; .cgi; .dbx; .dhtm; .eml; .htm; .jsp; .mbx; .mdx; .mht; .mmf; .msg; .nch; .ods; .oft; .php; .pl; .sht; .shtm; .stm; .tbb; .txt; .uin; .wab; .wsh; .xls; and .xml.