Bagle-B begins to boil

Edward Hurley, News Writer

A new variant of the Bagle worm appeared this morning as workers return from a long holiday weekend.

Bagle-B is a straightforward mass mailer worm. It harvests e-mail addresses from infected machines by searching text, HTML and Windows address book files. It then sends itself using its own SMTP engine. The worm spoofs the From field on the messages so the infected messages can be traced back to the sending machine.

"Bagle-B tries to deceive computer users by spoofing the sender's address, but the worm is easy to spot because of its distinctive subject line," said Chris Belthoff, senior security analyst at Sophos, Inc.

The messages containing the worm have the subject line "ID" followed by various random characters. The body of the message contains "Yours ID." The actual attached worm is an executable file. The creator of Bagle-B can keeps tabs on the worm's progress as it drops a remote access component on infected machines and opens up TCP Port 8866.


Requires Free Membership to View

Bagle-A, the new variant includes a system that checks the date. If it's Feb. 25 or later, then the worm stops working. If it's before that date, then it runs Windows Sound Recorder and copies itself to the Windows system directory as au.exe. It also adds the following Registry key so the worm runs when the system is restarted:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion Run "au.exe" = C:WINNTSYSTEM32AU.EXE

Bagle-B also adds the following Registry keys:

HKEY_CURRENT_USERSoftwareWindows2000 "frn"

HKEY_CURRENT_USERSoftwareWindows2000 "gid"

Bagle-B probably won't be a major issue for corporations as most strip executable files from incoming e-mails. Doing so would prevent the worm from getting it. Another good precaution is updating antivirus signature files.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: