Fast-Moving Bagle Worms Open PCs' Backdoors

edited October 2004 in Science & Tech
Two new versions of the venerable Bagle worm are on the loose, infecting PCs and opening backdoors as they go.
The pair are virtually indistinguishable from one another and also are quite similar to most of the other Bagle variants. The main area of concern for enterprises is the fact that both Bagle.BC and Bagle.BD open a backdoor on TCP Port 81 on infected PCs. Both versions were discovered early Friday morning. Both variants are capable of spreading through peer-to-peer networks, as well as via e-mail. Both arrive in e-mail messages with spoofed sending addresses and one of a handful of meaningless subject lines, such as "Re:" "Re: Hello" or "Re: Thank you." The bodies of both variants contain just a single emoticon, and the name of the virus-infected attachment is either "Price," "price" or "Joke." Once installed on a user's machine, the two variants try to download and execute a file from one of several dozen Web sites. And they both attempt to terminate a number of running security-related processes on the machine, according to an analysis of the worms by McAfee Inc., in Santa Clara, Calif.
Source: eWeek

Comments

  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited October 2004
    And they are doing it in Volume. MessageLabs has intercepted 887,000 plus of messages (as of yesterday, Oct 29, 2004) containing those values, and flags the variants as W32/Bagle.BA@MM and W32/Bagle.BB@MM (different virus vendors use different versioning, these are emails containing the exact same payload as what eWeek is talking about). For normal users, if you get something with a smiley in text form and no other visible content when you look at message as plain text, don't LOOK at the attachment. Also, FROM email address is 100% guaranteed to be a spoofed address.
  • edited October 2004
    Some of the new variants are also disabling antivirus services. This looks to be a particularly nasty round of virii on the loose.
Sign In or Register to comment.