Bagle, a new Internet Worm, Makes Its Presence Felt
19 Jan 2004
Kaspersky Lab, a leading information security software developer is warning users about I-Worm.Bagle, a new Internet worm detected in the wild. The worm spreads via email with a random sender address. Kaspersky Lab has received reports of infections from around the world; Bagle is causing a significant outbreak.
The worm is a Windows EXE file about 15 KB in size attached to emails with random sender addresses. The subject, 'Hi', body, 'Test =)' and signature 'Test, yep' are constant, whereas the name of the attachment is random.
Once the worm is launched, it copies itself into the Windows directory and attempts to download and launch Mitglieder, a Trojan proxy server, on the infected machine. This proxy server allows the 'master' to use the infected machine as a platform to send more copies of the malicious code. Currently, all links to Internet sources for downloading Mitglieder are deleted. Thus, I-Worm.Bagle cannot use this technology to increase propagation speed.
As a result, at this time, I-Worm.Bagle is using a technique standard for Trojan programs. Bagle scans the file system on infected machines for files with extensions wab, txt, htm and r1. The worm then sends copies of itself to all email addresses that it uncovers, using a built in SMTP server.
Kaspersky® Anti-Virus databases have already been updated with protection against Bagle