Another Bagle, another epidemic
27 Jan 2005
Kaspersky Lab, a leading developer of secure content management solutions, has detected another new modification of the Bagle worm: Bagle.ay. This new variant is spreading rapidly, and has already caused a serious outbreak.
Bagle.ay spreads via the Internet as an attachment to infected email messages. The worm itself is a Windows executable file of 19KB. It is attached to messages which come with one of the following subjects: "Delivery service mail", "Delivery by mail", "Registration is accepted", "Is delivered mail", "You are made active". The message itself will read either "Thanks for use of our software" or "Before use read the help". The attachment name is chosen from the following: 'wsd01, viupd02, siupd02, guupd02, zupd02, upd02, Jol03'
The worm is activated when a user opens the attachment - this will launch the infected file. The worm then copies itself to the Windows system directory, and registers this file in the system registry. Bagle.ay will also terminate processes which protect the victim machine and the local subnetwork. This leaves the infected machine vulnerable to further attacks by malicious code.
Bagle.ay uses a standard propagation routine to spread. It scans the victim machine's file system to harvest email addresses, and then sends itself to these addresses. However, it does not send itself to addresses which appear to be connected with the antivirus industry or major software developers. This explains why antivirus companies have received relatively few samples of this new version of Bagle. The worm connects directly to SMTP servers to send infected messages.
In order to spread more widely, the worm also propagates via P2P networks and shared network resources. It searches for directories which contain 'shar' in their names. Bagle.ay will then place itself in these files under names which are similar to those of popular applications and utilities.
Detection for Bagle.ay has already been added to Kaspersky Anti-Virus databases. Users are advised to ensure that they update their antivirus programs on a regular basis. The Kaspersky Virus Encyclopaedia contains a detailed description of Bagle.ay.