Article

Bagle family produces new headache for enterprises

Bill Brenner

For many enterprises and antivirus firms, Monday is starting to become known as Bagle Day.

A new member of the prolific worm family, Bagle-AG, clogged e-mail accounts across the Internet Monday afternoon, using many of the same tricks as its ancestors, but with a couple new twists.

"This one is masquerading as and hiding within legitimate software," said Sam Curry, vice president of eTrust for New York-based Computer Associates. "If you open an attachment with Internet Explorer, it will infect you."

The mass-mailing worm has its own SMTP engine to create outgoing messages and lifts e-mail addresses from the victim machine. The "From:" address of messages is spoofed and its attachment is a Zip file containing an .exe and an HTML file. It also copies itself to folders that have the phrase "shar" in the name (such as common peer-to-peer applications; KaZaA, Bearshare, Limewire, etc.), according to Santa Clara, Calif.-based McAfee Inc.

Curry said it's spreading fast, with more than 30 unique enterprise-level reports to Computer Associates in a 2.5-hour period Monday. "We are still counting in the consumer space," Curry said. "That's a phenomenal growth rate. We have it at medium, and will probably go to high in the next three to six hours if this continues." Curry also noted the Bagle family's tendency to cause trouble on Mondays.

In a new twist, Curry said this variant camouflages itself from firewalls and other antivirus measures by appearing to firewalls to

    Requires Free Membership to View

be coming from Internet Explorer (a .dll is injected into IE at 11,766 bytes) and disguising files in transit as "JPG" files when they are actually executable.

He added that the malware downloads its updates from a list of 204 URLs on various sites. The file is downloaded to the Windows directory as "~.exe" and executed. Once the .exe component is activated, it copies itself to the system directory as "WINdirect.exe" and drops the .dll component as "_DLL.EXE." It then creates a remote thread in the Explorer.exe process to execute the .dll component.

Infected files have a one-word body message: "price." The attachment is "price.zip" and contains two files, "price.html" and "price.exe". The "price.exe" resides in a subfolder called "price" within the zip file, according to Computer Associates's advisory.

The Bethesda, Md.-based Internet Storm Center said Monday afternoon it had received "a number of reports" about the new worm. The site recommended users temporarily quarantine or reject all ZIP attachments until AV vendors release signatures. It also suggested users consider monitoring or blocking access to the URLs listed in its advisory.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: