Security threats Toolkit

Antivirus firms fear Bagle's bite

Andrew Colley ZDNet Australia

Published: 19 Jan 2004 09:00 GMT

Computer-security experts fear a new worm -- Bagle-A -- which has begun spreading rapidly across Australian email networks could be a rehearsal for a more concerted attack in coming weeks.

eAccording to Daniel Zatz, security director for Computer Associates Australia, Bagle-A carries an expiry date, possibly indicating more robust versions of the worm could be ready for release soon.

According to Zatz, while Bagle-A is already successful, responsible for an alarming 80 percent jump in queries to CA's help desk and in virus submissions to rival computer security company Sophos, the current version of the worm contains bugs.

Comparing Bagle to the infamous Sobig virus which flooded global email networks last year, Zatz fears that a more virulent version of new worm could appear soon.

"One of our biggest concern is that if we look back a year ago at the Sobig variants, they all had drop-dead dates, and every time one hit that drop dead date a new variant came out; a new and improved variant of it," said Zatz.

Bagle-A is due to expire on January 28, suggesting tuned variations of the worm could appear as early next week.

Bagle-A's creators, like authors of many previous successful worms, have relied on the ignorance and curiosity of email users for the worm's success.

The worm arrives in email inboxes as a message containing few lines of text suggesting that the email may be from system administrator, as well as an executable attachment. When the attachment is activated by its receiver the worm then installs a program on the recipient computer that allows the worm to be emailed on to other users in the system's local address book.

The worm also attempts to installs a backdoor or Trojan on infected machines, listening for activity on port on 6777.

Sean Richmond, support manager with anti-virus software vendor Sophos Australia and New Zealand, said the company was still examining the Trojan to see what else it was capable of.

Given that most corporate email servers block transmission of executable attachments, CA's Zatz believes that home and medium-sized enterprise users are responsible for spreading the new worm.

Zatz could give no other explanation for the worm's apparent success than "pure curiosity" on the users' part.

Another possible factor in the worm's success, Zatz said, was the fact the worm's creators programmed the worm to email itself to handful of popular domains to evade swift detection by dominant Web enterprises such as Hotmail, MSN and a large Russian computer security agency.

Richmond said favourable timing may help contain the Bagle. According to Richmond, Bagle's appearance in the Asia-Pacific region should give antivirus companies adequate time to prepare software and procedures for US and European companies before they open for trading.

Users who suspect their computers may be infected with the virus should look for a file called bbeagle.exe in their Windows System directory. The file disguises itself with Microsoft's familiar calculator icon.