A new fast-spreading variant of the Bagle worm has prompted anti-virus companies to raise their threat level to “moderate”, one of the highest seen this year.
Discovered only a day ago, the new mass-mailing and peer-to-peer Windows worm, Bagle-ay appears to have been more virulent than first anticipated. The worm has a number of aliases, and is also variously referred to as [email protected] and Bagle.ax, depending on anti-virus vendor referenced.
The worm arrives in an e-mail bearing a number of plausible subject lines, including “thanks for use of our software” and “before use read the help”, bearing the usual attachment nasty. Running this initialises the payload, primarily a search for the executables of a number of security programs, which it attempts to tamper with. It then mails itself to any address book entries it finds before trying to download code into the Windows directory from a long list of domains.
The worm is picky about who it will let itself be sent to, however. It specifically excludes any entries found with an “@help” suffix or with an address at a number of companies, including Google, Microsoft and security companies MessageLabs, Sophos and Panda.
Bagel first struck a year ago with its source code being posted last summer prompting the appearance of new variants. The new variant looks to be an attempt to use the anniversary of its first appearance to start a new Bagle wave.
This is unlikely to be the last time that we hear about Bagle.