For many enterprises and antivirus firms, Monday is starting to become known as Bagle Day.
A new member of the prolific worm family, Bagle-AG, clogged e-mail accounts across the Internet Monday afternoon, using many of the same tricks as its ancestors, but with a couple new twists.
"This one is masquerading as and hiding within legitimate software," said Sam Curry, vice president of eTrust for New York-based Computer Associates. "If you open an attachment with Internet Explorer, it will infect you."
The mass-mailing worm has its own SMTP engine to create outgoing messages and lifts e-mail addresses from the victim machine. The "From:" address of messages is spoofed and its attachment is a Zip file containing an .exe and an HTML file. It also copies itself to folders that have the phrase "shar" in the name (such as common peer-to-peer applications; KaZaA, Bearshare, Limewire, etc.), according to Santa Clara, Calif.-based McAfee Inc.
Curry said it's spreading fast, with more than 30 unique enterprise-level reports to Computer Associates in a 2.5-hour period Monday. "We are still counting in the consumer space," Curry said. "That's a phenomenal growth rate. We have it at medium, and will probably go to high in the next three to six hours if this continues." Curry also noted the Bagle family's tendency to cause trouble on Mondays.
In a new twist, Curry said this variant camouflages itself from firewalls and other antivirus measures by appearing to firewalls to be coming from Internet Explorer (a .dll is injected into IE at 11,766 bytes) and disguising files in transit as "JPG" files when they are actually executable.
He added that the malware downloads its updates from a list of 204 URLs on various sites. The file is downloaded to the Windows directory as "~.exe" and executed. Once the .exe component is activated, it copies itself to the system directory as "WINdirect.exe" and drops the .dll component as "_DLL.EXE." It then creates a remote thread in the Explorer.exe process to execute the .dll component.
Infected files have a one-word body message: "price." The attachment is "price.zip" and contains two files, "price.html" and "price.exe". The "price.exe" resides in a subfolder called "price" within the zip file, according to Computer Associates's advisory.
The Bethesda, Md.-based Internet Storm Center said Monday afternoon it had received "a number of reports" about the new worm. The site recommended users temporarily quarantine or reject all ZIP attachments until AV vendors release signatures. It also suggested users consider monitoring or blocking access to the URLs listed in its advisory.