Another Bagel variant, W32Bagle-AG@mm, has been upgraded to a medium threat by AV vendors after last week's sudden outbreak of Bagle-AF, which spread for a short period of time when AV scanners failed to detect it.
"We've seen numerous variants of the Bagle family in the last six months; however, [Bagle-AF] appears to be spreading rapidly, outpacing the last several variants," Oliver Friedrichs, senior manager, Symantec Security Response, said in a statement late last week. "This threat is impacting both consumers and businesses alike, so all users should be taking steps to ensure that their systems are protected."
Ranked as a medium-level threat to both corporate and home users by McAfee Inc. in Santa Clara, Calif., the mass-mailing worms use their own SMTP engine to send outgoing messages. Both variants harvest e-mail addresses from the victim machine and spoof the sender's e-mail address. The worms contain a remote access component and notify the hacker of successful infection via a backdoor on TCP port 1080. They then copies themselves to folders that have the phrase "shar" in the name, such as the KaZaA, Bearshare and Limewire peer-to-peer applications.
If a machine becomes infected, Symantec said, it will allow the attacker to have remote, unauthorized access to the machine. "Due to the ability of the remote user to perform so many different actions on the server system -- including installation of applications -- it is highly recommended that compromised systems be reinstalled," Symantec advised.
Herndon, Va.-based TruSecure Corp. recommended blocking the .com, .cpl, .exe, .hta, .scr, .vbs and .zip (password-protected) executable extensions at the gateway to prevent infection by similar worm outbreaks. When available, updated antivirus signatures will detect the worm.
"[An earlier variant], discovered on July 4, sporadically sent the worm's source code as an attachment," said Mary Landesman, senior virus analyst at FrontBridge Technologies in Marina del Rey, Calif. "This effectively distributed the source code, and as we see with today's Bagle infection, making it more likely that we'll continue to see future variants of this worm."
Bruce Hughes, TruSecure's director of malicious code research, agreed, "AV scanners are always a step behind the bad guys and now that virus writers are releasing the source code there will be more copycat viruses from untalented script kiddies speeding around the Internet."
Cupertino, Calif.-based Symantec said users on Windows 2000, Windows 95, Windows 98, Windows ME, Windows NT and Windows XP are vulnerable.
In tracking Bagle-AF, Symantec Security Response said that at its peak, it was tracking approximately 30 submissions per hour, but has now tapered off.