Windows Bagle Worm Spreading Fast

 
 
By Larry Seltzer  |  Posted 2004-01-19 Email Print this article Print
 
 
 
 
 
 
 

Bagle.A worm is another mass-mailer that is scheduled to expire on Jan. 28. Experts expect a wave of infection after the holiday.

A new Windows worm discovered Sunday is spreading rapidly, according to security experts and anti-virus firms. According to Ken Dunham, Director of Malicious Code for iDEFENSE Inc., more than 50,000 interceptions of the worm—known both as Bagle.A and Beagle.A—have already been noted by security firms. "Bagle started gaining significant ground in the wild as the work week resumed in Asia. Bagle appears to have gained the most ground initially in Europe, where it was first detected with the greatest prevalence."

The worm arrives as an executable attachment to an e-mail message. The subject of the message will be "Hi" an the body will be the following:
    Test =)
    [Random characters]
    --
    Test, yep.
The attachment, which has a random file name and an extension of .EXE, is 15,872 bytes long.

When the user launches the attachment, it first runs the Windows Calculator program to mask the infection process. At the same time, it copies itself to the Windows SYSTEM directory as bbeagle.exe and creates a registry key to load itself at system startup.

The worm then searches files with .wab, .txt, .htm, and .html extensions on the hard disk for e-mail addresses and mass-mails itself to them, using the same addresses for the messages from: address. It does not send to any addresses with domains of hotmail.com, microsoft.*, msn.com, or avp.*.

The virus also listens on TCP port 6777 for remote connections, and attempts to run a script on a number of remote servers instructing them that it is available. According to McAfee, the script is not on any of the servers referenced in the worm.

McAfee, Symantec, Trend Micro and Kaspersky have all added protection against the new worm.

 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel