Two new Bagle variants spreading rapidly

29 Oct 2004
Virus News

Kaspersky Lab has detected two new Bagle variants - I-Worm.Bagle.at and I-Worm.Bagle.au. Both variants have been mass mailed, which may lead to an outbreak in the near future.

Kaspersky Lab virus analysts estimate that several million copies of the new Bagles have been sent. Spam technologies ensure that the new malware is spread worldwide. However, a seeding does not yet mean that an outbreak has began, though the backdoor function and in-built proxy email server do pose a real threat.

The two Bagles differ only in the version of the packer the authors used to pack the attachmed file which contains the worms. Both worms spread using techniques used by most worms today. The Bagles scan the infected machine for files containing email addresses and send copies of themselves to all of the harvested addresses. Both Bagles also install an email proxy server that can be controlled from port TCP 81, which the worms open. This proxy server can be used as a platform for spam, to mail more copies of the worms, to attack web sites and much more.

Emails containing both Bagles are easy to identify: the subject is 'Re: Hello', the body only contains a smiley and the worm is in the attachment (see screenshot).

Kaspersky® Anti-Virus databases have been updated to protect registered users against both Bagles.