Article

Bagle, Mytob back for more trouble

Bill Brenner

New variants of the prolific Bagle and Mytob worms prompted several antivirus firms to issue medium-level alerts Tuesday.

"At least three different Bagle-related downloaders have been massively spammed," F-Secure Corp. of Finland said on its Web site.

    Requires Free Membership to View

"The spammed mails typically have no subject or body text, just an attachment such as 1.zip containing 19_04_2005.exe or similar. We currently detect all spotted droppers and downloaders as Bagle-BO." The spread was significant enough for F-Secure to issue a "Level 2" alert.

New York-based MessageLabs Inc. said it had intercepted almost 70,000 copies of one variant by Tuesday afternoon -- 45,769 of which were stopped over the course of one hour. "The virus appears to have originated from a Yahoo group," the firm said in an e-mailed statement. "[The downloader variant] drops a Trojan [horse program] that attempts to download Bagle from a vast list of locations."

Moscow-based Kaspersky Lab issued a "moderate risk" alert for the latest outbreak, which it also labeled Bagle-BO. "The content of these messages and the name of the .zip attachment are random," The firm said on its Web site. "The attachment contains the worm's executable file, called 16_05_2005.exe, which is approximately 17KB in size."

Related news items

Eradication remains a 'well worm' problem

Caught in the virus name game

The Bethesda, Md.-based SANS Internet Storm Center Web site said, "The attachments [so far] appear to be named as a single-digit number .zip file [eg: '5.zip' or '7.zip'] or as a string [eg: 'Be_not_jealous.zip'] with a payload of '16_05_2005.exe' or '19_04_2005.exe.'"

Mytob-BI enters the fray
Bagle wasn't the only worm keeping AV providers busy Tuesday. Firms like Tokyo-based Trend Micro reported that a new Mytob variant was spreading quickly.

"Trend Micro has raised Worm_Mytob-BI to yellow alert status," the firm said in an e-mailed statement. "This is the fourth variant of the ever-popular family of worms to reach the alert stage, and the second this week to do so."

Trend Micro said it has only been 90 days since the first Mytob variant appeared. Since then, it said the worm "has managed to register over 125 new variants and is responsible for more than 65,000 worldwide infections."

Mytob variants pose as messages from IT administrators to trick users into executing the e-mail attachment. It usually tries to fool the user into thinking the message is about the suspension of his/her email account.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: