A new variant of the Bagle worm appeared this morning as workers return from a long holiday weekend.
Bagle-B is a straightforward mass mailer worm. It harvests e-mail addresses from infected machines by searching text, HTML and Windows address book files. It then sends itself using its own SMTP engine. The worm spoofs the From field on the messages so the infected messages can be traced back to the sending machine.
"Bagle-B tries to deceive computer users by spoofing the sender's address, but the worm is easy to spot because of its distinctive subject line," said Chris Belthoff, senior security analyst at Sophos, Inc.
The messages containing the worm have the subject line "ID" followed by various random characters. The body of the message contains "Yours ID." The actual attached worm is an executable file. The creator of Bagle-B can keeps tabs on the worm's progress as it drops a remote access component on infected machines and opens up TCP Port 8866.
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion Run "au.exe" = C:WINNTSYSTEM32AU.EXE
Bagle-B also adds the following Registry keys:
Bagle-B probably won't be a major issue for corporations as most strip executable files from incoming e-mails. Doing so would prevent the worm from getting it. Another good precaution is updating antivirus signature files.