The rapid spreading of several variations on recent mass-mailing worms that were released to the Internet over the weekend has caused security companies to raise their alert status levels.
Five variations of the Bagle worm (also known as Beagle) are among them. Bagle.C arrived Friday night, with D, E, F and G showing up later. Most of the functionality of the worms is similar to each other and to Bagle.A and Bagle.B, with some minor and one major advance.
Because of the quickness of spreading and severity of the attacks, Panda Software has raised their alert status to red. Symantec has categorized Netsky.D and Bagle.E as “Category 3—Moderate.” Netsky.B, discovered on Feb. 18, is still categorized as “Category 4—Severe.”
According to security intelligence firm iDefense, 50 percent of the time that Bagle.F and Bagle.G spread themselves, either through a mass-mailing or by copying themselves to network and peer-to-peer sharing directories, they will send a password-protected ZIP file and include the password in the body of the message. This prevents gateway anti-virus scanners from opening the ZIP file and scanning it. An on-access file scanner on a users desktop would still detect the attack if it were up to date and the anti-virus vendor had protection for that specific worm.
The Bagle variants also open a back door on TCP port 2745 where it listens for commands. Reports from Internet intrusion detection systems, such as DShield.Org, indicate a sharp recent increase in port 2745 attacks.
The new Bagle variants also include friendly icons to trick the user into launching them, generally through network shares. Bagle.C will use either an Excel or Windows Calculator icon. Bagle.D will use an Excel icon. Bagle.E will use a Text file icon, and Bagle.F and Bagle.G will use a folder icon. Bagle.C and D have a cutoff date of March 14, 2004, while E, F and G have cutoff dates of March 25, 2004.
Netsky.D also scans a variety of fields on the system for e-mail addresses. Unlike its predecessors, Netsky.B in particular, it creates multiple threads for sending e-mails, and therefore has the potential to spread much more quickly.
The infected attachment can have any of a variety of names, ending in .pif. The attachment is 17,424 bytes large.
Like many other recent worms, Netsky.D attempts to remove infections from other recent worms, specifically Mydoom.A and Mimail.T, perhaps to clear the way for it to work better. According to Panda Software, when the system date is March 2, 2004, between 6:00 a.m. and 8:59 a.m. the worm will produce random noises.