Reheated Bagle smokes out antivirus defenses

New version of mass-mailing worm, discovered Friday, tries to disable defenses on destination PCs. CNET Reviews: Bagle.bb prevention and cure

Dawn Kawamoto Former Staff writer, CNET News

Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.

See full bio

Dawn Kawamoto

Oct. 29, 2004 10:13 a.m. PT

2 min read

A new version of the fast-spreading Bagle mass-mailing worm was discovered Friday, with its threat level quickly rising to a moderate level, according to security experts.

Bagle.BB, also known as W32/Bagle.bb@MM, was raised to a medium risk assessment by security company McAfee. The virus had triggered more than 100 reports to McAfee's antivirus and vulnerability emergency response team by early morning in Europe. Antivirus software makers have also identified two other variants of the Bagle virus that are successfully spreading.

Other security experts noted that there are specific challenges with the latest variant of Bagle.

CNET Reviews
Prevention and cure: Bagle.bb

This version appears as an e-mail message with a smiley face : )). It only affects Windows machines.

"This version tries to block the Netsky virus on users' machines, which seems like retaliation on Netsky," said Stefana Ribaudo, a security management product manager for Computer Associates International. The authors of the Bagle and Netsky variants have taken to taunting each other in the worms' software code.

Ribaudo added that the Bagle virus, which is also known as Bagel AX and W32.Beagle.AV, tries to disable antivirus software loaded on people's computers.

Increasingly, computer viruses are serving as a tool to surreptitiously use another person's computer to send out spam or collect personal financial information.

Security experts note that the profit that can be made from these activities is driving the rapid rise in virus and hacker attacks.

The most recent version of the Bagle virus is another in a long list of variants of the virus, which began infecting computers in January.

BitDefender Labs noted that the new Bagel variant creates copies of itself in varying lengths, in a move to make it harder to filter out of e-mails using antivirus software.

Bagle.BB harvests addresses from local files and then uses those addresses in the "from" field to send itself, according to McAfee.

As a result, the recipient of Bagle.BB receives a bogus e-mail with a spoofed sender address, which, for example, may appear to come from a legitimate friend, business associate or family member.

The subject header from the spoofed sender will contain such greetings as "Hello," "Thank you!" and "Thanks :)."

As with a number of viruses, it spreads when the recipient opens the e-mail attachment. The executable name of the attachment is listed as "price," "Price" or "Joke," according to McAfee.

Once the virus in the attachment has been released, it will copy itself onto the Windows system directory. It will also open TCP port 81, as a means for remote access to a user's computer.