No coffee, but here's another Bagle

A variant of the mass-mailing Bagle virus seems to have taken off a bit faster than the original--and its intent could be spam-related.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
A variant of the mass-mailing Bagle virus started spreading Tuesday, as U.S. businesses returned from the long weekend.

Like the original virus, Bagle.B spreads by sending an e-mail message with an attached copy of its code; a PC is infected when the recipient opens the attachment. The virus, which is programmed to stop spreading Feb. 25, installs software on a person's PC to allow Bagle.B's creator to take control of the computer.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

While the current variant of the virus is similar to the original Bagle, it seems to have taken off a bit faster, said Joe Telafici, director of operations for the antivirus and vulnerability emergency response team at security company Network Associates.

"We are seeing a little bit bigger spike with (reports of) the B variants than with the original virus," he said. The first reports of Bagle.B started coming in at 4:30 a.m. PST, he added, but by 7 a.m., the rate at which customers submitted reports started falling off. "It is already tailing off rapidly," he said.

Network Associates rated the virus a "medium" threat, and rival security company Symantec similarly gave the program a 3 on its 5-point scale for Internet threats. E-mail security firm MessageLabs said it stopped about 17,000 copies of the attachment in e-mail messages blocked by its service.

Bagle.B, also referred to as Beagle.B by Symantec, appears in an e-mail that may come from someone the victim knows. The e-mail has a subject line of "ID (random number)...Thanks." The virus is attached to the e-mail as an .exe file, which, when opened, will infect the computer.

Like the Sobig viruses, Bagle.B is capable of sending its own e-mail out, which means that it can efficiently create a steady stream of infected messages. The virus also grabs e-mail addresses from various files--including Web caches, text files and address books--on a person's computer and uses a randomly selected address in the "from" field of each e-mail it sends.

The virus installs a remote-access program and notifies the author of newly infected PCs by contacting several German Web sites and submitting the computer's information, Network Associates' Telafici said. He added that it seems likely that the attacker plans to use a computer compromised by the virus to send bulk e-mail.

"I still suspect this is as much spam-related as anything else," he said. "The author is collecting machines that will be used for some future event."

More information on the virus can be found at CNET's Virus Center. CNET Networks is the publisher of News.com.