Bagle.U Worm Spreads Despite Simplicity

It’s bad enough when virus writers can download their worm code of choice and relatively simply unleash a new variant on the Internet, but Friday showed something even worse: Virtually zero effort is needed to entice people to open attachments. So far, the non-sophisticated, no-subject, no-text Bagle.U variant has spread to a substantial number of computers worldwide.

Antivirus firm F-Secure rated the Bagle.U worm, which arrives in e-mail boxes with a randomly named attachment and fake “from:” address, a Level 2 threat, meaning it is causing a large number of infections but may be limited geographically.

As the latest in a long string of variants that have sprung up since the original Bagle, Netsky and Mydoom worms began infecting computers, Bagle.U is unlikely to penetrate corporate networks that block executable attachments. Unfortunately, however, home computers are being compromised by their users’ curiosity.

“The reality is that the threats of today dwarf the threats of two years ago,” iDefense director of malicious code Ken Dunham told TechNewsWorld. “But that doesn’t mean the threats of two years ago shouldn’t be taken seriously.”

Compelled To Carry

Unleashed on the five-year anniversary of the original, mass-mailed Melissa virus, the Bagle.U variant is spreading mainly in Europe and Asia, iDefense director of malicious code Ken Dunham told TechNewsWorld. While the variant features no promise of nude pictures or plea to “Check this out,” its simplicity still has coaxed users into opening its attachment.

“It has limited social engineering, but it will definitely play on the curiosity of some users who feel compelled to see what’s in there,” Dunham said. “There is nothing compelling in the e-mail, literally nothing to make a user click on the attachment. By simply having just an attachment, Bagle.U has already enticed thousands to open the malicious attachment.”

Dunham credited the variant’s high initial spread to heavy “seeding,” in which a computer virus or self-spreading worm is deployed by its creator via spamming, previously infected machines and other means.

Bagle Bots

McAfee Avert research fellow Jimmy Kuo told TechNewsWorld that Bagle.U’s lack of obvious indicators is probably also helping it spread.

“It has universal appeal in that it has no black marks against it because it has no incompatible language,” Kuo said, referring to the misspellings and typos typical of viruses launched from around the world.

Kuo downplayed Bagle.U’s spread but highlighted the value of the author’s seeding capability, achieved through previously infected and compromised machines known as “bots.”

“What’s troubling is the fact that the Bagle author has a large collection of bots and is now making use of it,” he said.

Worm with a Heart

Dunham reported that, when executed, Bagle.U tries to open the Microsoft Hearts card game on the target Windows computer to conceal the process of infection. The worm then installs itself in the Windows System directory as gigabit.exe and performs a mass-mailing function, as previous Bagle variants have done.

However, Dunham indicated that by connecting to a German Web site, the Bagle.U worm may provide clues to help researchers track down its author’s location and identity.

As for future variants of Bagle and other worms, he warned that users should get ready to relearn their ABCs as the viruses near the Z variants and begin with double-letter names, such as AA.

“Multiple variants within a malicious code family to help it succeed in the wild is becoming an increasing problem with new worms, such as Bagle and Netsky,” Dunham said.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels