10th Variant of Bagle Worm Hits the Net

Bagle.J, which NAI rated as medium risk, was the second variant of the worm to surface Tuesday.

Another day, another variant—or two—of Bagle.

Late Tuesday evening, anti-virus researchers discovered the existence of Bagle.J, the tenth variant of the worm to hit the Internet. Officials at Network Associates Inc. have rated the worm as a medium risk and said they saw 50 unique samples of Bagle.J in a 90-minute period last night. Bagle.I also surfaced Tuesday, with Bagle.H appearing Monday.

Recent speculation among anti-virus researchers that the creators of the NetSky and Bagle viruses may be engaged in some kind of competition or war has now apparently been proven true. The virus writers have been leaving profane, derogatory messages for one another in the new variants of their respective viruses during the last few days, experts say.

/zimages/1/28571.gifFor more on the competition, read "Virus Writers Start Dissing Match with New Worms."

Like its predecessors, this version relies heavily on social engineering to entice recipients into opening the e-mail and infected attachment. The subject line of the worm-laden e-mail varies, but is typically one of the following:

E-mail account security warning
Notify about using the e-mail account
Warning about your e-mail account
Important notify about your e-mail account
Email account utilization warning
Notify about your e-mail account utilization
E-mail account disabling warning

The sending address is spoofed to make it appear as if the message is from someone in the recipients domain. Some of the sending addresses include staff@domain.com, administration@domain.com and systemadministrator@domain.com, where "domain.com" is the recipients own domain.

The name of the attachment carrying Bagle.J also varies, and the file itself can be an executable, a .PIF or a ZIP archive, according to NAI, based in Santa Clara, Calif.

The appearance of Bagle.J follows closely the release of both Bagle.H and Bagle.I. Bagle.H arrives in a password-protected ZIP archive and, once executed, copies itself to folders for several popular peer-to-peer applications in an attempt to spread via shared files. Bagle.H also listens on TCP port 2745 for instructions from remote hosts. The virus has an expiration date of March 25.

Bagle.I is quite similar to Bagle.H, carrying a nonsensical subject line and listening on port 2745 as well.

/zimages/1/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.