Bagle Worm Spreads Using Traditional Tactics

A worm — known as Bagle — is spreading primarily among Asian and Pacific Rim computers. The worm does not disguise itself as porn, pictures from friends or funny jokes, yet its simplicity has already duped many users into running the attached executable and perpetuating its existence.

Arriving with the subject line “Hi” and body text of “Test, yep,” the malicious code is one of the most basic, tried-and-true forms of mass-mailing malware: a randomly named, executable e-mail attachment infected with a self-replicating virus. Still, despite the long history of such worms and awareness in the industry about how to curb their spread quickly, the Bagle worm managed to represent roughly one in every 100 e-mails sent in Asia as the week began, according to security firm MessageLabs.

“We have seen over 80,000 copies of Bagle, and this number is rising at an alarming rate,” said MessageLabs chief information security analyst Paul Wood, whose company issued a high-level alert on the worm. “This is despite using unsophisticated social engineering techniques and clearly displaying an executable attachment.”

MessageLabs said the worm “makes a poor attempt to lure users” into double-clicking on the attached file. The company, which also indicated the worm might attempt to download a secret program known as a Trojan, said Bagle resembles last year’s biggest virus, SoBig, in its rapid spread and in an embedded termination date, which is January 28th.

SoBig Bagle Bite

Wood told TechNewsWorld that the Bagle worm, which spoofs the “from” address to fool users, is similar to the SoBig.F worm in its ability to download a Trojan proxy application — which will cede control of an infected computer to a remote user who knows how to access the Trojan.

When executed, the worm opens calc.exe to mask the infection. It then creates a copy of itself in the Windows system directory, performs a mass-mailing routine and even attempts to download or connect to several remote Web sites.

Wood said some of the sites the worm links to are based in Germany, where there has been a series of viruses and worms recently that could be part of a larger spam or fraud operation.

“This one is just the latest in that line,” Wood said.

Easy Spread, Beyond Bagle

Ken Dunham, iDefense director of malicious code, told TechNewsWorld that despite earlier detection of Bagle, its impact was downplayed because its simplistic tactics were largely viewed as ineffective.

“Some said it didn’t have a chance in the wild,” Dunham said. “The fact is, it is curious, it is an attachment, it does get through, and you’re going to have users that are going to click on it. I think we need to redefine what we consider to be effective social engineering.”

Dunham said the Bagle outbreak, which could be blocked if users were to filter their attachments at the e-mail client level, illustrates how easy it is to spread a virus.

Code Curiosity

Wood said worms such as Bagle typically follow a pattern of waves whereby Asia, then Europe, then North America experience significant infections. While he said the impact diminishes with each wave as antivirus definitions are updated and users are educated, he noted that the spread of such a simple worm is troubling for virus fighters.

“This is probably about as basic as it gets,” Wood said. “The problem is, people have been talking about blocking executables for years, not months, and it really comes down to education.”

Dunham said the worm’s spread is a sad statement about the ease with which viruses and worms can spread on the Internet. “It just goes to prove how many companies still are not blocking against executable files,” he said. “After all of this time, all of these years, we still do not have the ability to shut down an executable.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels