Bagle Gets Stale But Remains a Threat

A new flavor of the Bagle worm that reared its head Thursday is spreadingrapidly around the Internet through e-mail and file-sharing programs.

The difference between and the other variants that surfaced since theinitial attack is the way they are packed or which files drop onto the machine,Gregg Mastoras, senior security analyst at the antivirus and antispam companySophos, told TechNewsWorld.

“Packing,” or shrinking the size of the worm using a compression program, creates different signatures for the worm, which may then be able to skirt antivirus definitions.

Same Old Bagle

“Functionally, it’s the same old stuff we’ve seen in all the Bagle variants overthe last months. The authors have just modified it to evade detection of mostantivirus programs and spammed it widely to try to make it spread more widely,”Mikko Hyppnen, director of antivirus research at F-Secure, told TechNewsWorld.

He said the spread peaked on Friday, and that Bagle cannot compare to moreserious viral invasions of the past.

“It’s still out there in fairly large numbers, but many organizations got theirprotection together over the weekend, making it a smaller and smaller threat,”Hyppnen said. “However, it’s still the number one virus worldwide right now.But by any meter, this outbreak is far away from the massive outbreaks we’veseen in history, such as Sobig.F or Mydoom.A.”

A Bagle by Any Other Name

While it may seem as though there are numerous Bagle viruses, Mastoras said, thereason for that is just the way they are named.

“Basically, there have been a few Bagle variants that have come out in the lastweek, and different vendors are detecting them as different things,” he said.

Sophos calls all the variants by the name Bagle.AU, but Mastoras added, “Someantivirus companies might not be able just to issue one virus protection for all these variants, sothey would have a number of protection files to download.”

Each protection filewould have a different variant name, such as Bagle.bc or

Sophos has had thousands of reports of the virus, and the firewall in Windows XPService Pack 2 is no protection. The worm is capable of turning off thatfirewall

Antivirus companies have been calling the worm a mid-level risk.

Unimaginative Subject Lines

The newer variants are easy to recognize because they have the same subjectlines as earlier versions: “Re:Hello,” “Re: Thank you!” and “Re: Hi.” The e-mailsender’s address is forged and the body of the message may be blank or use anemoticon such as a smile.

Like earlier variants, the worm will disable antivirus software if itsdefinitions are not up to date. It then sends itself to e-mail addresses foundon the infected computer using its own engine, drops more malware anddownloads code from the Internet.

The worm can also spread itself through peer-to-peer networks. It hunts forfolders with a ‘shar’ substring and copies files into the folders.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels