Security threats Toolkit

Bagle's spread cools down

Published: 21 Jan 2004 10:30 GMT

Bagle.a, the first major mass-mailing computer virus this year, is starting to slow down after infecting hundreds of thousands of computers, security experts said on Tuesday.

The worm is programmed to stop contaminating computers on 28 January, but seems destined to drop off the security industry's radar before that date. The program spreads through email and infects the PCs of people who open the attachment.

"It peaked yesterday, and it's starting to die down," said Vincent Weafer, the senior director of security response for antivirus company Symantec. "It doesn't compare to many of the mass-mailers that we saw last year."

The number of customers reporting a Bagle infection has declined since Monday, according to Weafer. Network Associates, a rival antivirus company, said it had an almost 40 percent fall in the number of reports received from its customers.

Despite the drop-off, concerns remain that Bagle -- which seems patterned on last year's most effective virus, Sobig -- is just the first of a series of programs that will become more effective at attacking PCs with each new version.

In addition, PCs infected with Bagle.a, also known as Beagle.a, may already have had other programs installed on their system by the virus, uploaded from a Web site that has since been closed down. Bagle attempts to install the Mitglieder network proxy program, which allows intruders and spammers access to a victim's PC, in addition to trying to upload a password-stealing program.

Who's behind Internet worms and hacks?
Half the hundreds of thousands of computers infected by Bagle are in China, Korea, the United States and Australia, according to data compiled by F-Secure, a Finnish antivirus company.

The surprise for many security experts is that the current Bagle virus has spread so widely.

"It is surprisingly effective, considering it has no social engineering whatsoever," said Paul Wood, the chief information security specialist at MessageLabs, an email service provider. "There is no attempt to disguise it, yet people are still opening it, which is kind of bizarre, because it shows that education about not opening attachments isn't as widespread as we hoped."

MessageLabs, which filters out spam and viruses from email for clients, said it has stopped nearly 150,000 copies of the Bagle virus since Sunday -- about one in every 136 messages processed by the company.

While security experts believe that Bagle was written from scratch, the program's blueprint is similar to that of the Sobig virus, which started attacking computers a year ago. Like Sobig, Bagle uses its own home-brewed email program to send messages quickly, rather than use the email functions built into Microsoft Outlook, for example.

"This virus really has the characteristics of everything we have seen over the last year," said Vincent Gullotto, a vice president in Network Associates' antivirus emergency response team. "Rather than grabbing Sobig or Mimail and working with that, the writer creates a totally new virus."