The number of new infections caused by the mass-mailing computer worm is dropping, say security experts--suggesting Bagle may be toast before it reaches its cutoff date.
The worm is programmed to stop contaminating computers on Jan. 28, but seems destined to drop off the security industry's radar before that date. The program spreads through e-mail and infects the PCs of people who open the attachment.
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
"It peaked yesterday, and it's starting to die down," said Vincent Weafer, the senior director of security response for antivirus company Symantec. "It doesn't compare to many of the mass-mailers that we saw last year."
The number of customers reporting a Bagle infection has declined since Monday, according to Weafer. Network Associates, a rival antivirus company, said it had an almost 40 percent fall in the number of reports received from its customers.
Despite the drop-off, concerns remain that Bagle--which seems patterned on last year's most effective virus, Sobig--is just the first of a series of programs that will become more effective at attacking PCs with each new version.
In addition, PCs infected with Bagle.a, also known as Beagle.a, may already have had other programs installed on their system by the virus, uploaded from a Web site that has since been closed down. Bagle attempts to install the Mitglieder network proxy program, which allows intruders and spammers access to a victim's PC, in addition to trying to upload a password-stealing program.
Half the hundreds of thousands of computers infected by Bagle are in China, Korea, the United States and Australia, according to data compiled by F-Secure, a Finnish antivirus company.
The surprise for many security experts is that the current Bagle virus has spread so widely.
"It is surprisingly effective, considering it has no social engineering whatsoever," said Paul Wood, the chief information security specialist at MessageLabs, an e-mail service provider. "There is no attempt to disguise it, yet people are still opening it, which is kind of bizarre, because it shows that education about not opening attachments isn't as widespread as we hoped."
MessageLabs, which filters out spam and viruses from e-mail for clients, said it has stopped nearly 150,000 copies of the Bagle virus since Sunday--about 1 in every 136 messages processed by the company.
Bagle.a prevention and cure
While security experts believe that Bagle was written from scratch, the program's blueprint is similar to that of the Sobig virus, which started attacking computers a year ago. Like Sobig, Bagle uses its own home-brewed e-mail program to send messages quickly, rather than use the e-mail functions built into Microsoft Outlook, for example.
"This virus really has the characteristics of everything we have seen over the last year," said Vincent Gullotto, a vice president in Network Associates' antivirus emergency response team. "Rather than grabbing Sobig or Mimail and working with that, the writer creates a totally new virus."