Malicious code experts are warning that variants of the Bagle and Netsky mass-mailing worms are circulating in the wild and beginning to gain traction.
Bagle variant begins to get legs in the U.S.
Bagle-AB, also known as Bagle-AA, Bagle-Z, Bagle-X and Bagle-Z, uses a spoofed From address, varied Subject and Body text, and a number of different attachment prefixes. It doesn't autoexecute, but does glean e-mail addresses from files on the infected system, which it then uses to transmit itself via its own SMTP engine.
Bagle-X terminates more than 100 security applications [including antivirus and personal firewalls] on an infected system -- this is effectively a "shields down" for victims, said Sam Curry, vice president of product management for Islandia, N.Y.-based Computer Associates' eTrust Security Solutions division. "It is spreading fast and is quite destructive."
Curry said this Bagle variant sets up a remote control application on victim systems listening on port 2535 and also communicates with the Internet at large, effectively setting up a network of compromised systems.
Santa Clara, Calif.-based Network Associates, Inc. said that it e-mails itself as a password protected .zip file with the password included in the message body. The worm attempts to notify the author that the infected system is ready to accept commands by contacting various Web sites and calling a PHP script on the remote sites. NAI currently ranks the threat as medium.
Netsky variant hits Asia, Europe
Netsky-AB uses a spoofed From address, varied Subject and Body text, and a number of different attachment prefixes. It doesn't autoexecute and experts said it uses its own SMTP engine to send itself to addresses it finds on any accessible non-CDROM drive. No backdoor has been identified.
Tokyo-based Trend Micro said in a statement: "The worm is the next in the now well-known 'virus' war between the creators of Netsky and Bagle. It harvests e-mail addresses from files located in local drives C to Z, and with particular extension names. As with previous variants of Netsky, it also deletes entries created by the Bagle worm." Trend Micro currently ranks Netsky-AB as a medium risk and added that the worm uses social engineering methods with subject titles including "Money," "Only love?" and "Privacy."
Both worms can infect the Windows 95, 98, ME, NT, 2000 and XP platforms.
Updated antivirus signatures are available. Experts said that .com, .cpl, .exe, .hta, .scr, .vbs, .zip and .pif attachments should be blocked at the gateway.