10th Variant of Bagle Worm Hits the Net | eWeek

10th Variant of Bagle Worm Hits the Net

Verfasst von
Dennis Fisher
Dennis Fisher
Mar 3, 2004
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

Another day, another variant—or two—of Bagle.

Late Tuesday evening, anti-virus researchers discovered the existence of Bagle.J, the tenth variant of the worm to hit the Internet. Officials at Network Associates Inc. have rated the worm as a medium risk and said they saw 50 unique samples of Bagle.J in a 90-minute period last night. Bagle.I also surfaced Tuesday, with Bagle.H appearing Monday.

Recent speculation among anti-virus researchers that the creators of the NetSky and Bagle viruses may be engaged in some kind of competition or war has now apparently been proven true. The virus writers have been leaving profane, derogatory messages for one another in the new variants of their respective viruses during the last few days, experts say.

/zimages/1/28571.gifFor more on the competition, read“Virus Writers Start Dissing Match with New Worms.”

Like its predecessors, this version relies heavily on social engineering to entice recipients into opening the e-mail and infected attachment. The subject line of the worm-laden e-mail varies, but is typically one of the following:

E-mail account security warning
Notify about using the e-mail account
Warning about your e-mail account
Important notify about your e-mail account
Email account utilization warning
Notify about your e-mail account utilization
E-mail account disabling warning

The sending address is spoofed to make it appear as if the message is from someone in the recipients domain. Some of the sending addresses include staff@domain.com, administration@domain.com and systemadministrator@domain.com, where “domain.com” is the recipients own domain.

The name of the attachment carrying Bagle.J also varies, and the file itself can be an executable, a .PIF or a ZIP archive, according to NAI, based in Santa Clara, Calif.

The appearance of Bagle.J follows closely the release of both Bagle.H and Bagle.I. Bagle.H arrives in a password-protected ZIP archive and, once executed, copies itself to folders for several popular peer-to-peer applications in an attempt to spread via shared files. Bagle.H also listens on TCP port 2745 for instructions from remote hosts. The virus has an expiration date of March 25.

Bagle.I is quite similar to Bagle.H, carrying a nonsensical subject line and listening on port 2745 as well.

/zimages/1/28571.gifCheck outeWEEK.coms Security Centerat http://security.eweek.com for security news, views and analysis.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.