Security threats Toolkit

New Bagle opens another spam backdoor

Tags:
Attachment,
Spread,
Worm,
Internet

Published: 16 Jul 2004 08:35 BST

Unknown online vandals with an apparent connection to spam email have created a new version of the Bagle computer worm that has spread somewhat successfully in the past 24 hours, antivirus companies said on Thursday.

The mass-mailing computer virus, dubbed Bagle.AF or Beagle.AB by different security firms, opens a path for intruders to relay bulk email messages through the infected computer and attempts to contact one of almost 150 compromised German Web sites to let the attackers know of their latest conquest.

"It certainly is successful," said Oliver Friedrichs, senior manager for antivirus firm Symantec's security response centre. "It is definitely comparable to threats that we saw earlier this year such as MyDoom."

Symantec raised the virus to a threat rating of three on its five-point scale, while rival antivirus firm McAfee -- formerly Network Associates -- gave the program a medium danger rating.

The latest incarnation of the Bagle virus is largely a copy of previous versions of the program, Friedrichs said. The first worm in the Bagle line started infecting computers in January.

Bagle.AF arrives in email as an attached file and infects computers running the Windows operating system if the user opens the file. The program attempts to halt more than 250 security applications from running on the computer, mails itself to any email address it can find on the computer, and contacts one of 141 German Web sites, twice the number that a previous version of the virus contacted. The diverse range of Web sites have probably been compromised by online vandals, leaving behind software to record which computers have been infected by the Bagle worm.

With that information, the vandals can use the compromised computers to spread spam, or sell the information to spammers, Friedrichs said. The virus leaves open a backdoor specifically for that purpose.

Increasingly, computer viruses are used to spread software that surreptitiously converts computers to an attacker's purpose. Such "bot" software can be used by spammers and more dangerous online denizens to disrupt access to Web sites or collect personal financial information.

And while the latest Bagle worm uses an old method of spreading itself, it's still effective. Symantec has had almost 175 reports of infections, Friedrichs said.

"I think what we are seeing is that these threats will continue to be successful because people are continuing to trust attachments and continuing to click on them," he said. "Really, the human factor is the weakest link that is allowing these worms to be so successful."