News Stay informed about the latest enterprise technology news and product updates.

Bagle's movement puzzles experts

Bagle-A's movement is slowing, but experts wonder why the worm gained so much traction. It is the first major worm of the year.

Now that the Bagle-A worm is on the decline, experts are scratching their heads over how it moved so quickly.

Bagle-A is like many other mass-mailing worms. It travels as an executable file attached to an e-mail. The worm doesn't employ savvy social engineering to entice users into opening it. The message text includes random letters. Its subject line is simply "Hi."

The worm emerged over the weekend but surged on Monday. U.K.-based e-mail content-filtering outsourcer MessageLabs Inc. intercepted over 141,000 copies of the mass mailer. Finnish antivirus software vendor F-Secure Corp. raised Bagle's threat rating to level 1 -- the company's highest -- because it received so many reports on the worm.

"It's been slowing down over the last 24 hours, but it will be around for at least a few more days," said Mikko Hypponen, manager of antivirus research for F-Secure. The worm's traction appears to be strongest among home users in China and South Korea.

Bagle may experience a minor bump in activity today, as U.S. workers return to work after a three-day weekend, said Vincent Gullotto, vice president of McAfee's Antivirus Emergency Response Team (AVERT). But McAfee received far fewer reports overnight than it did Sunday, which means the worm is most likely on the decline, Gullotto said.

It's unlikely that corporate e-mail systems were severely affected because most enterprises strip executable files at the gateway.

"Some big companies were most likely hit when employees accessed their Web-based e-mail accounts," Hypponen said.

It appears the worm was well-seeded over the weekend, Gullotto said. Plus, its ability to harvest e-mail addresses from infected machines means it was able to spread itself to many systems. When infecting a system, Bagle searches for e-mail addresses. It doesn't just look in specific document files; rather, it copies addresses from network connections. Using this strategy, the worm can pull together a large amount of potential targets from just one infected machine.

For some reason, however, Bagle's creator prevented the worm from sending itself to addresses with the following domains: @r1,,, @Microsoft and .@avp.

The worm also contains a list of Web sites it tries to communicate with after infecting a system. The worm's creator probably engineered the code this way so he can monitor how many systems are infected, Hypponen said.

Experts say there may be more Bagle worms. Like the Sobig variants, Bagle has an expiration date of Jan. 28, 2004. Though Bagle doesn't appear to come from Sobig's writers, it is likely that Bagle's creator "was monitoring what they were doing and repeated it," Hypponen said.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.