10th Variant of Bagle Worm Hits the Net
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

10th Variant of Bagle Worm Hits the Net

Written By
Dennis Fisher
Dennis Fisher
Mar 3, 2004
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Another day, another variant—or two—of Bagle.

Late Tuesday evening, anti-virus researchers discovered the existence of Bagle.J, the tenth variant of the worm to hit the Internet. Officials at Network Associates Inc. have rated the worm as a medium risk and said they saw 50 unique samples of Bagle.J in a 90-minute period last night. Bagle.I also surfaced Tuesday, with Bagle.H appearing Monday.

Recent speculation among anti-virus researchers that the creators of the NetSky and Bagle viruses may be engaged in some kind of competition or war has now apparently been proven true. The virus writers have been leaving profane, derogatory messages for one another in the new variants of their respective viruses during the last few days, experts say.

/zimages/1/28571.gifFor more on the competition, read“Virus Writers Start Dissing Match with New Worms.”

Like its predecessors, this version relies heavily on social engineering to entice recipients into opening the e-mail and infected attachment. The subject line of the worm-laden e-mail varies, but is typically one of the following:

E-mail account security warning
Notify about using the e-mail account
Warning about your e-mail account
Important notify about your e-mail account
Email account utilization warning
Notify about your e-mail account utilization
E-mail account disabling warning

The sending address is spoofed to make it appear as if the message is from someone in the recipients domain. Some of the sending addresses include staff@domain.com, administration@domain.com and systemadministrator@domain.com, where “domain.com” is the recipients own domain.

The name of the attachment carrying Bagle.J also varies, and the file itself can be an executable, a .PIF or a ZIP archive, according to NAI, based in Santa Clara, Calif.

The appearance of Bagle.J follows closely the release of both Bagle.H and Bagle.I. Bagle.H arrives in a password-protected ZIP archive and, once executed, copies itself to folders for several popular peer-to-peer applications in an attempt to spread via shared files. Bagle.H also listens on TCP port 2745 for instructions from remote hosts. The virus has an expiration date of March 25.

Bagle.I is quite similar to Bagle.H, carrying a nonsensical subject line and listening on port 2745 as well.

/zimages/1/28571.gifCheck outeWEEK.coms Security Centerat http://security.eweek.com for security news, views and analysis.

Dennis Fisher
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information