A new variant of the Bagle worm appeared this morning as workers return from a long holiday weekend.
Bagle-B is a straightforward mass mailer worm. It harvests e-mail addresses from infected machines by searching text, HTML and Windows address book files. It then sends itself using its own SMTP engine. The worm spoofs the From field on the messages so the infected messages can be traced back to the sending machine.
"Bagle-B tries to deceive computer users by spoofing the sender's address, but the worm is easy to spot because of its distinctive subject line," said Chris Belthoff, senior security analyst at Sophos, Inc.
The messages containing the worm have the subject line "ID" followed by various random characters. The body of the message contains "Yours ID." The actual attached worm is an executable file. The creator of Bagle-B can keeps tabs on the worm's progress as it drops a remote access component on infected machines and opens up TCP Port 8866.
Like Bagle-A, the new variant includes a system that checks the date. If it's Feb. 25 or later, then the worm stops working. If it's before that date, then it runs Windows Sound Recorder and copies itself to the Windows system directory as au.exe. It also adds the following Registry key so the worm runs when the system is restarted:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion Run "au.exe" = C:WINNTSYSTEM32AU.EXE
Bagle-B also adds the following Registry keys:
Bagle-B probably won't be a major issue for corporations as most strip executable files from incoming e-mails. Doing so would prevent the worm from getting it. Another good precaution is updating antivirus signature files.