New Bagle Variant Called Worst of the Year

With little apparent reason for its success rate, e-mail worm Bagle.AI usually arrives in a fashion similar to other variants, with a subject line of "Re:" and a spoofed sending address.

Another version of the tenacious Bagle virus is on the loose, and some security experts and administrators say it is among the more persistent viruses theyve seen all year.

Bagle.AI, which was discovered Monday, is quite similar to the dozens of other variants in its family, and there seems to be little reason for its success rate. It arrives via e-mail, usually with a subject line of "Re:" and a spoofed sending address. The body text is random, as is the name of the attachment.

The attachment has one of several file extensions, including .scr, .exe, .zip, .cpl and .com. In some instances, the Zip file is password-protected, in which case the body of the infected e-mail includes a password, pass and key, all of which are random numbers, according to McAfee Inc.s analysis of the worm. The name of the attachment often contains the term MP3 in one form or another.

/zimages/5/28571.gifFor insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

Once it executes, Bagle.AI copies itself to the Windows System directory in a file named WinXP.exe and opens TCP port 1080 and UDP port 1040. It appears that the worm uses these ports to communicate with its creator and report back each time it infects a new machine.

McAfee, based in Santa Clara, Calif., said it received more than 150 submissions of Bagle.AI on Monday. Bill Franklin, president of Miami-based Zero Spam Network Corp., which provides a managed e-mail security and anti-spam service, said his companys servers have been bombarded by copies of the new variant all day.

"This is by far the worst one of the year," Franklin said.

The latest member of the Bagle family is the fourth variant to be released since Thursday, when Bagle.AF hit the Internet.

/zimages/5/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.


Be sure to add our security news feed to your RSS newsreader or My Yahoo page: /zimages/5/19420.gif