New Variation Of Bagle Spreading Fast

By | February 18, 2004

More virus trouble afoot. This time it’s a variation of Bagle.

MessageLabs reports that it’s intercepted more than 10,000 copies in an hour as of this morning. Most seem to be from the UK and the U.S, although the first copy it received was from Poland.

It appears to be a mass-mailing worm, installing a backdoor Trojan on infected machines much like its predecessor. It looks like this:

Subject: ID <random>… thanks
Text:  Unknown
Attachment: <Random>.exe
Size: 11264 bytes

EWeek says it also includes a component that notifies the author each time a new machine is infected. The attachment will mail the virus to all of the names found on the user’s hard drive, with the exception, for some reason, of addresses in the Hotmail, MSN, Microsoft and AVP domains.

Bagle.B also opens port 8866 and begins listening for remote connections, according to an analysis done by Network Associates Inc.’s McAfee AVERT team. The virus also sends an HTTP notification, presumably to the author, notifying him that the machine is infected.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.