Security threats Toolkit

Bagle turns to verse

Published: 27 Apr 2004 08:40 BST

The author of the latest variant of the Bagle worm has gone beyond penning just a piece of code: the writer has also included a poem in the document attachment on which the worm piggybacks.

The malicious program, known as Bagle.Z, has not spread very quickly, said Vincent Gullotto, vice president of the antivirus emergency response team for Network Associates, which makes security software.

"I don't anticipate this one to last long," he said, adding that the variant has had some initial success because the worm attaches itself to email in a control panel file, which is an executable not used by virus writers before. "It is not a file that most people would typically block, so it may penetrate into some environments."

The release of Bagle.Z is the latest in what appears to be a contest between the writers of two worms: Bagle and NetSky. A recent version of NetSky, or SkyNet, as the author calls it, included a promise by the writer to keep creating new versions as long as the creator of the Bagle worm keeps revising that program.

While there were at least six different versions of NetSky released in April, far fewer Bagle variants have been seen this month. Virus experts believe that the source code to the NetSky worm was leaked to the Internet by the author, and so it is likely that no single author created all the variants.

Several version of the Bagle worm were released in March. However, the program has not spread widely. Email service company MessageLabs reports having seen a relatively small number -- several hundred -- of the worm's email messages, the company said in an email release.

The variant continues the trend of using a randomly chosen name from a list of words for the subject of the message and for the attachment that contains the program. Additionally, the worm uses a graphic of three cherries, similar to a winning result on a slot machine, as the icon for the executable attachment, said Network Associates, which is planning to change its name to McAfee.

The attachment also contains these four lines of text, which appear in capital letters:

"Unique people make unique things That things stay beyond the normal life and common understanding The problem is that people don't understand such wild things, Like a man did never understand the wild life."

Attaching a poem to a virus is not a new technique. In the early 80s, what is believed to be the first Apple II virus displayed a poem every 50th time that the infected computer started up.