Latest Threats

New variant of Bagle Worm spreading fast!  War between virus writers continues

Inter Engineering warns about a new variant of the notorious Bagle worm, called Bagle.AT, which is spreading fast.

Bagle.AT spreads through mass email messages and through peer-to-peer networks.

The Subject of messages is chosen from
Re:
Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi


The message body is either empty or consists of only a smiley
:) or :))

The attached file has as filename “Price”, “price” or “Joke” and extension com, exe, scr or cpl

Spreading though Peer-to-Peer networks is done simply by creating an infected file in the related shared folder with an attractive name which will give a good chance of being downloaded, such as “WinAmp 5 Pro Keygen Crack Update.exe”. The worm randomly chooses between a selection of 19 such “interesting” names.

The worm has a backdoor that listens on port 81. This way an infected computer can be used by the worm’s author(s). As seen from previous Bagle infected machines, most probably the authors intend to use infected machines for Spamming activities.

There are now 38 Bagle variants since February 2004, which are clearly written by or for Spammers to make money. Due to similarity it is believed that the Bagle authors also are the creators of the Mydoom worm.

The large amount of variants in a relatively short timespan is the result of an ongoing War between the Bagle and Netsky authors since February 2004.

There are now 36 Netsky variants and 38 Bagle variants.

Whereas the Bagle Worm is spread for exploiting purposes, the Netsky worm is relatively harmless since its only actions are spreading and attempting to remove Bagle infections. That apart from the insulting messages that both parties pass to each other inside their code.

The latest Bagle.AT variant contains several “measures” which protect it from being removed by Netsky. It also attempts to detect Netsky infections and disable them.


The 18 year old German Sven Jaschan has been accused of writing the Sasser worm and is also believed to have written at least several variants of Netsky. He was charged with sabotage by German police. Jaschan is believed to be responsible for 70 percent of the virus infections in 2004.

Josmaarten Swinkels of Inter Engineering comments: “It is most probably true that the writer(s) of Netsky had noble intentions but they have caused a war over the backs of millions of innocent computer users. The Bagle authors are doing this for big money so they are certainly not going to be intimidated by other virus writers. Let’s hope that the Netsky authors give this up before any others get the same heroic ideas “.

Inter Engineering strongly recommends updating of Anti Virus software in a real time fashion as well as the use of a Firewall to block unwanted traffic (such as the exploit of infected machines). Inter Engineering also discourages the use of peer-to-peer networking software on work-related machines.

Bagle.AT is detected by F-Secure Anti Virus updates of 29-10-2004.

For more information contact Inter Engineering

About Inter Engineering

Inter Engineering is one of the few companies specialized in Data Security. Since 1992 the company is active in the protection against computer viruses and has since then extended its activities with strong cryptography, access control, copy protection, biometrics and data recovery. The Company cooperates closely with leading providers globally and contributes actively to research and development. Also close relationships with scientific organizations are maintained. Thus Inter Engineering is able to provide consultancy and solutions for almost any Data Security issue.
 

 To contact us: Inter Engineering
P.O. Box 1626
410 02 Larissa, Greece
Tel. +30.2410.670030
Fax. +30.2410.670006
Email: sales@inter.gr