Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


New Bagle Variant Raises Alarms



 By: Larry Seltzer
2004-09-29
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Anti-virus companies have elevated the threat level for the latest version of the persistent worm.

A new variant of the Bagle worm is showing more prevalence than usual, according to anti-virus companies.

The new version is known by a variety of names: McAfee Inc. calls it Bagle.az, Trend Micro Inc. has dubbed it Bagle.AM and Symantec Corp. refers to it as Beagle.AR. All three companies have elevated the threat level for this worm because of increased submissions to their monitoring services compared with the average Bagle variant.

Click here to find out why security researchers are puzzled by Bagles success.

All the major companies offer protection against the worm. Symantec also has a removal tool.

Many e-mail programs, including Microsoft Outlook and Outlook Express will, in the default configuration, delete the infected executable attachment to the e-mail message in which the worm arrives.

Resource Library:

According to Trend Micros description, the message comes from a spoofed address. The subject line is either "Re: Hi!," "Re: Thank you!," or "Re: Thanks :)," and the message body is always ":))." The message comes with an attachment with a file name of "Joke" or "Price," which has an extension of either ".com," ".cpl," ".exe," or ".scr."

Once the user runs the executable, it drops a copy of itself in the users Windows System folder and sets Windows to load it when the computer boots up.

The worm attempts to propagate by copying itself to shared folders for LANs and peer-to-peer networks, and through a conventional e-mail distribution using a built-in SMTP engine. It attempts to terminate a large number of security-related programs, such as anti-virus software.

In keeping with Bagle tradition, it also attempts to interfere with the Netsky worm by removing several registry keys used by Netsky and creating mutexes, which are variables in the operating system that Netsky checks for.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Be sure to add our eWEEK.com Security news feed to your RSS newsreader or My Yahoo page



  Reader Comments: New Bagle Variant Raises Alarms
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


x}ks㶲*Q3皢H푦dKĶ|,Lj I)H6~bvKJc2;["h4Aȹ=!1(ٟ9ЧGLzIj}ݻ@AiFN)##3rD廚fw2'v#S;^ 1 \?g#Q;Y|AuӱCԣFr(˚79heynJ\WkQZ ^4ߛiL\7;zs/BEQB~ѿ]HQPwÑٷ@ږkZT0ݓ^w: Owy@qGA~$Vj}&DeR)fI&a0iէ6 t򸚅AX{|\睒A7nJ^Ղz .#=-bv=ӧ0#ƌ_8(Jr򳹥s9\_]w2蜜_w;>ߘekfy3(ժ?TRJg3F~3uV7kew'k|t GlD  W6 NZ[_lxmx0|k2`;;RVKJ=2ULhu{Br,Od=h . !O}fr2GrI/o"`cQ -F`X@7? iP2z[q* ߱a^S;G7oRy߬) rƒ 4%yȝ7hr Ce)#8?S̓EhJq䰋c<ش 1"%̛ިҁ6)`I˪ TY&嗋}Qu3 . If(;΀/3 BD4?CC0&pIza.8uKZpfuٜ҅%]We oQ#LKzcOuMW~?]tև,qJjpX.B2iqHB0qjjۛjRM&eYa~ @8ʍ??5m!S[ö@ .Sks+k~̆>:mNQ'm51l;4}t>჆$1hhƋMriOMrӇt @>;GݺzNnXŞ+ Qm:FAтMx> T؎C6}l2w9;-,&w& FrW cX` VPCh' 6)}9\P lv62-0sRP|'sZ(L7^`{bA2G 4.gP)AH =k 99~ >vR.%rP.o{hk8-ucyk34\.m}|FpI.3_hy>grGֶLoj@>z[.z: %r%M5b$T`CfL 6<q^i.;[@Lg˺z+fYz#U/K\>.MB_+( M2L%A-ʘŗzZG"JMP1WL"CɣQHl - ד6:6pȞcX}nP rQ jS#Sad"V+/bs˶@@@Oh 9؎mrij>::NȃX點voŸmTNϣ)a!w1JoX*,b3)T$1Sbp=Pz˸Fq,X@XĞ=\%w8sM^Ηvư']9g!@n"aN4S ش`oZiF+eUV-0א~3VʅĴL~5<2ne"X΁=mQr)'j5YIr]j)erahxh_GSsDb4"T paLHǎ73M#đaϗaܧ^hL`Dkm809#-Ko==>8Ģ\Qۂ+6uB%)` L` T<5&{; 7 G\d 0!ϵPb)& SVbpELs V-EN-IC`u$k&9O.> sFWyYF濚?O~ԪbVm&ZQrTU\㬰 s1*(Si|);u 3}h1gs>7 `3|x+G7Y1f-10kEu/uPӕ ~>V:vʼnGG ֽ x ɵ( 5v8f|< O?a⦉!h{3E&hӚNH@%5-?FlЀY?rxQ2] Q`9v#_oa7X_ 蟆RkE}vWC7{)jf#Q j` 9v}G(*PlOLW"5esWthV))]%qf0Аjkwh\,_Qm(}nL:̺>qWGÉ̍<9E];WVR=>` $Ti(54_ځJnGIlMa`Dh<~-c2R*?<);+6gPכW]?Lg6ѯ5XfP=zǰ;r_&lA}琩occեsg8X$Ό3a QnaUX2 )y-0fE-vVzvڲeyf+9a8GsHR>1 ZH$;QKH/6W\T`qՀDj9n]&k꾬=M~qDyC[Vޫ1ZeΌRo(SY-iq#,F.҂Q{.3 al_&2)SgVvӲ[&;RZ/\v ?3paS,Ԕʑ.R`@|t'fP X#:^;M$JS-b tri#7-FbZ*BBЛgQ!vQ%x.6A)ƙ-`khs)sp>'S6PFͧz*",aAf=^ΈۍC}37~ eFZVR5v¼u[$vem"XvIW4c VK#f"$X+JJYt~(0|nȄKOXV~L&2>M=Jv}6 = "E?'qP3|} 9w>*%U-vWAlj%ww\(4 5 *|@t0\'*BXp,g$ ,O$(e,tF<<& Ux)G?A`?u=<92#QUaNT++y48'o/>èZaQbdE1 cyJF`I1$K~bO{u=|p}үzۻ<$ "Gp6uFkea%|mi/R!)؝-u/Z:p-z Uރ6 `i4~{D(cF?{%sg%U^~yms:-od~؞D4lr zECR|Iw޻毛eGJ:7];OjtKCȃ!yN;-ͦ5Bk;d4)H3zI]a++"AKݹ̂ $"1Zr*M3dnX *~_aZXȬE`|],($0‘#`?`Vvuv\b{ȖVBLR`2"(BS.iDO—,9]8S{ lo}AǯJN~NZ-[I7S+t,c=]/8ʚ'=?Njw?!>t8|㿜yG$ !rz en3~yHP -]>uSo4 jGY{NEh#O[?G cl9R)%V9 [viQf%}yjtJ)SBtad:ٞ$yYIzJ,RTeD$SQSKF39uޞ-Hu=Ym ybZӽK3oBŇF$0k2kt85(Au.HqJiEw3DN^MjpUK ŏE~#zs:D~@0E;䐜zC=R׫;l3{tm=ߺ3'^D 9ʼSyau +;No՗!wC3k{R̵jRid^)A/g]s6å͠O`8{+ϓ{~\BFsW_=aqMԆ+RܳRpfi#ހkҺ<85L;g,H~ VН> ?y{do.=)sdzIlΜh59obJofm6 #lKx?Koң{g;ᧅsE4r7tS/RwlLgI"+W{Uvv7}\8%/r{)Gx+| 0&\%3 =ћ4/MZ?GB"fFs8EE_o\fmef7cŸ6@!{zcƛa#3̑ +Ӡ9MH.v 1= l;o6ܭnM \M A;"J [4 2]CnK_:1iE0pDao[1΢ Imi|o(o'򽥎x5% k.W&/o).w?дg=n00AQ/7rF[[⹏^}l؏o-~2+揰GMv#,i4RRɇ &L?  p~ru_lK&e(vʊfcO@`7'5_:J<\{·){o+8ry8L\-$'ŘSdzsOnũTQgR@HAD\~M] I&]Ig>XHKB(x6|E򇑯(obEWX@m?KFX3;ǘue"$/Ccf>P=4 w2g@]^ ,)r@?Ϗɓn$Vl&+aYf3i1ҏΩzZEsd㱁ǯ2<Y &0q޵'qFbye"L"Z-DS}j>qM7 /k>P%`@ CJAZ~4Vj4'qēF- ^e6CEŴR0%r^:g>$k2>5L qA^kԲ4oB ż.E!& 0A8܁(#P ,-1j!Sb!ʛknU0~ NI*%6\O/`@T/]kcʂ.5<_V0$IHMIȯ]LHmwsˊ;qT]RIlQŧsT&6 ɔҕ=7N50 $J,y Oݗʵz^\`0!g+av@69AdG蕘합K|&yU-n˫վͤV@cgJ]_,ǎ(2[ޒbI-.&ۈflecPaٯH)mgZK !];NpkG8 y 6Kx㯋A6s ܚ  ˫sbk::ΤK'T3ϰOac6>$[hi-5#?(|LY4@%X}):"!A] L!5F|݈gsۚ;J֮#,c|̟Ɵ(^R\\\\_޵X(w-%3 [>8C/Dg"G*jOB\ 5& +A'S[;[ұ@Q? smف6֩ "lODbm:E_*2Qjfo9u/ ^t/ [GwE.nFff4#cfM5˗~s#t;>fRח>A.^2Uٓ TVʚz!t}ꉈ|a=a5|=}m*T k$-t'-?7 VV2B0t`|[La5L?X5ؔfEVEM{ lCD7cXO@ -δ$pj{#MW:֤nF6Z7"XK{bֺKht2Fo}TwiB K!B_o{6fE_"z4Ym毳Nn˛|}>LaBcw`_gKr^ dܞ3su\Ͳ;s&.⫽Ih<ŗ18[dx=[:p-s6swA(7A񛷿cRd;6kLHJ~Pma/@m:7nY{`8JË@񽧹.L ofF9wt)?۬RP3۫HL(hw>[x#W?%4Sؘ bM$487?wԅ+VD2[J22L`pD҆XȓwKǠ |߁ 8wi)@QGf~q/2.uqaGc3˼ s-ZNړipLiXLђ,ÙBu}sTa };0& R3Mv ^eރ-c C=G?A@,[~VxsڞLvm ZihF!i3O<I}bRxP$n@a]IYx ˙=Mᵂ).a ?By Lu?F*M&U6^G nbb+\*6M Bag۰g0‡ qaBXEm89Dr v}NrBYm=+I#C!5{ idW|$ƽtyϹgLhʸXoZaY/[Ԓ3rd! `Bo,"EhvyaypD]bɠ1=^,࿴l&vf-fv \951E!r1&Kjx/Z-ԕՒ|0Ҩӊ,w9]dDo-~rWsƌ7FKj9֤ G]!DVtHU9 .u0Z`n1]Ha:늙;bdc?Xyn-CJ;w^6]^q=!o7ݛAVnVu$#KoW9#On@) p'@b`,IeWw"_f# G+1[Mw-kƕl3S搠AHq* @WݥDu+i!G,gl672IΜWD B r 9?SRmF 96z_ayZ^Oa.=\YrVf xfVؖmmy.]F Rd +}$g٦voihT78X~RBJuTxW"Yc6يj #$J ]0] a,_ŌVR>fF5mǦNW2<`C c  Ƅ[)RUfw<~z*:Oveh^f#+j(qȚ؆wt(bN D(xlkzŰtMxc1L)|AC7)*E-%=hxa3l@ "6r?"I:A~NP[ԓGĥ)׀gbxBW7lˣcD['郀Cvuh 3FP0\'M3C{N.;7`йU #yљ6 ^4<y3M\ hlrGsofA|q !'vQ]Q km<S|6XP8?pk2'pH0Wkn`:"(SG]ă0>]h3(hOT'Ag#j 33g;. 9 :jT 1&F}nN%nNKM {Zi$P!%h$bcx=9a6{@2_7=}m|?ݩ2{xCbwT IhR tX(5CȮ [Ĉxý<>;kAg U#na VH+^@0w4Yw40u>};| wMZ!ՠۻ$ǝ }[8Zzv/;WAyjzca\[e_T ΓQ9l]t283ksYx9% ywfv͋/2Y\d"?/?/2e2OP) 2(rˌ̐Kˌ{e^~+h:?>7_?}OP)'ߧ @MV9M@7d_ru[rֺ)qFy9{'sg+IWKI0ntEճ[L3co5:@bCa/! c|*,xW&+(78%#"htoĶ.b!Iy=0?$MuG1ٹWߕ\~UnE+tjq&ϋR2#s"q6G#aN@Af#|.y|e8Nt7<1 }Qf>.? fVt{ U K <rx$> |#r5yhOnţd?~_<ڻȬuMWVF+$kày%s"iN^];yУjߊD+,y e%Hi_1Z=<ʹ}zއQV+0N`}|>;s}:^>tC{>k'K{  8 ߜ:SNw}Y&@Y8'}p)Nh8kjZrt5pÅvsn Mgf uɹT)jIoR-W+俓k$2Lz@0_m@ R 5w9 طVR`" *s>P`2?6UJ` Pz5C=b{Ǭ[ɞP#^?&G'&ޜk 1^ƘE,d ݢȗጽNۯXJ ā`f@6b/`{8z5(L?4}ڤmf.neа! ؒ9N-= N>@OgÙZ#gHY&38W!Z7hlգ{wh{7ӦB.` ̀4WЫI .LESzq;'8*,_bY\YY~˭eclY<ۚ9l܆"u ]5ݸ3EK~xRHn2um1ƚ KBͿo.;4m?,ʌ˟$4&^_ϘsӞ?z.79?`&<+ ?6>K= %4Id`m߲#ǹqrh`=E(g՞|\k֊,!#1苌Y ]Ц Bx9wiޙca46BX`AtN[a>$l%׽b,3u'{E5>d |f;U/=F"2cX #xKs4I(KE-NAG}N^A\$%4-ϫ΢RM%i;j9.KPRJVr.Q ?V]^9%u r~"E a'_B |aR1=zH|k,X̨T*,[ |IGAM6_w>sԶeEQ&PL;tWV*i/ K7 oX)u'|oSg)0Piy>ඁe"`S s"gTtI1vSl]@_v܅iUhHl;:Oke[ |kc'p'!-;/uԝ8G P 恜0ћwZԘP7ԕU`gWD g~ 8\ftOG#m2`ݍG&ʖ$߀)04oAs^nT0~ r@c]Tng`wDl .3.OY& Ta!*e71K,P`O]3!gw6G}b ȱ(l}j.f+owt%(5x2;nGOWeg[$v/-ǬvJ^S. tlb @J( >D7#D*|X^c 0У,*0Hqs::hՁGXǸ׬[ [) qy6` <Щ0DM.vj]'nFQi#®54-vѩ&:ީo^;3QaW_< cbS,$Il} ralX  ^|>MwϏq`2[uozڧ[8KIJ y6 !δZxyU~ҥ ^.I,g`cQd;8*)ؐsb{`4bOP1lF,oԛ'TS*4.v9ϝ?^9?rϢy9qGg#^]u%ӫrXulьozc|>۳zwXjPtP9͓ a0+=;:`=hs&Sǂ)0ѕD1F(g,1.f Ahix~t<5GTFE@G7byUĔfٵ\RKnrmmk )0M؏Är"5poq#yeטJR04xqBaʩȩ(v}_|IѬd;j +sGO{ |>&xqeaVt*,睥 P.i{TO34[;~v~vw a% ӨT\t+Oz,,Mǭ?\>^HђuzNH]dEg 6.A|>ǐy6xL k ED;ydMn+cQEae#JV01{jX~r[)#Ek̥D/t^JB\qrh5