Another Bagle variant tries to spread

New version turns off security and attempts to download malicious programs from the Net--but it's not likely to get far.

Robert Lemos
Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
2 min read
Another version of the Bagle mass-mailing computer worm started spreading this week, but it likely won't get far, security experts said.

The virus, known both as Bagle.dll.dr and W32.Beagle.AQ, attempts to turn off security software on a victim's PC and then tries to download the majority of its malicious programming from 125 Web sites. However, the virus has not spread far because many of the Web sites cannot be contacted.

"For the most part, it's a list of Web sites that don't work," said Allysa Myers, virus research engineer for security software provider McAfee.

McAfee rated the virus as a low threat, and rival Symantec gave the program a two on its five-point scale of danger. Symantec also confirmed that at least half of the Web sites listed in the virus' code were not active.

"Overall, this is not one that we are watching to increase dramatically at all," said Alfred Huger, senior director of Symantec's security response group.

The latest incarnation of the Bagle virus is largely a copy of previous versions of the program. The first worm in the Bagle line started infecting computers in January.

Increasingly, computer viruses are used to spread software that surreptitiously uses computers to serve an attacker's purpose. Such "bot" software can be used by spammers and attackers to disrupt access to Web sites or collect personal financial information.

The latest variant of the Bagle virus arrives as an attachment--called "foto.zip"--to an e-mail message. Opening the Zip archive and running either the HTML file or the program file will infect any Windows computer with the virus, unless the PC is protected by up-to-date antivirus software. If the Bagle virus cannot download any further instructions from the listed Web sites, it will only attempt to turn off security on the PC and copy itself to several folders, including any shared directories.

However, if it does download the additional instructions, Bagle will send itself out to any e-mail addresses it finds on the PC, skipping any that belong to major software companies, Linux companies and security providers--a tactic that has become a common way to delay detection of such viruses.

The enhanced virus also will open a back door into the victim's computer to create an e-mail relay, which can be used by spammers to route bulk e-mail through the PC.

As security-conscious Internet service providers shut down the malicious and compromised Web sites, the latest Bagle variant will find it increasingly difficult to spread.