Bagle.AI, which was discovered Monday, is quite similar to the dozens of other variants in its family, and there seems to be little reason for its success rate. It arrives via e-mail, usually with a subject line of "Re:" and a spoofed sending address. The body text is random, as is the name of the attachment.
The attachment has one of several file extensions, including .scr, .exe, .zip, .cpl and .com. In some instances, the Zip file is password-protected, in which case the body of the infected e-mail includes a password, pass and key, all of which are random numbers, according to McAfee Inc.s analysis of the worm. The name of the attachment often contains the term MP3 in one form or another.
Once it executes, Bagle.AI copies itself to the Windows System directory in a file named WinXP.exe and opens TCP port 1080 and UDP port 1040. It appears that the worm uses these ports to communicate with its creator and report back each time it infects a new machine.
McAfee, based in Santa Clara, Calif., said it received more than 150 submissions of Bagle.AI on Monday. Bill Franklin, president of Miami-based Zero Spam Network Corp., which provides a managed e-mail security and anti-spam service, said his companys servers have been bombarded by copies of the new variant all day.
"This is by far the worst one of the year," Franklin said.
The latest member of the Bagle family is the fourth variant to be released since Thursday, when Bagle.AF hit the Internet.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: