Yet another version of the Bagle worm is on the loose and is already causing trouble in parts of Europe. Bagle.U appeared early Friday morning and has begun spreading quickly, even though it contains none of the social engineering tricks that Bagles author has used to help previous versions succeed.
This variant arrives in an e-mail with a blank subject line and no body text. The sending address, as always, is spoofed, and the name of the infected executable attachment is completely random. After execution, the worm mails itself to all of the addresses in the infected machines address book.
Bagle.U does include a backdoor component that listens on TCP port 4751 and connects to a Web server in a German domain, www.werde.de, according to an analysis by the McAfee Security unit of Network Associates Inc., based in Santa Clara, Calif. Once it establishes a connection with the remote server, the worm generates a unique ID number for each specific infected machine and sends that number and the number of the port on which it is listening to the server.
The worm also is capable of downloading an updated copy of itself from the remote server or downloading a batch file that removes the worm from the infected PC.
Once resident on the system, Bagle.U will sometimes open the Hearts card game that is included with some versions of Windows. In other cases it will drop a file named Gigabit.exe into the Windows system folder. This file contains a copy of the worm.
Bagle.U is set to expire on Jan. 1, 2005. Officials at McAfee said they had seen about 100 copies of Bagle.U as of early Friday morning and expected many more as the day wears on.
This is the 21st variant of Bagle to appear on the Internet since the original Bagle worm showed up on Jan. 18.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: