[Alsfastball] New Bagle Variant Called 'Worst of the Year'

Al Doran aldoran at pmihrm.com
Thu Jul 22 11:53:35 EDT 2004 

New Bagle Variant Called 'Worst of the Year'

(we have received at least 50 of these in the last 24 hours, most Spoofed 
(forged) with the email addresses of people we know - but the emphasis is 
on FORGED - they did not come from the address that appears as the sender - 
so don't blame them - OR me.)..

http://www.eweek.com/article2/0,1759,1624970,00.asp?kc=ewnws072004dtx1k000059


Another version of the tenacious Bagle virus is on the loose, and some 
security experts and administrators say it is among the more persistent 
viruses they've seen all year.

Bagle.AI, which was discovered Monday, is quite similar to the 
<http://www.eweek.com/article2/0,1759,1623365,00.asp>dozens of other 
variants in its family, and there seems to be little reason for its success 
rate. It arrives via e-mail, usually with a subject line of "Re:" and a 
spoofed sending address. The body text is random, as is the name of the 
attachment.


The attachment has one of several file extensions, including .scr, .exe, 
.zip, .cpl and .com. In some instances, the Zip file is password-protected, 
in which case the body of the infected e-mail includes a password, pass and 
key, all of which are random numbers, according to McAfee Inc.'s analysis 
of the worm. The name of the attachment often contains the term MP3 in one 
form or another.


Once it executes, Bagle.AI copies itself to the Windows System directory in 
a file named WinXP.exe and opens TCP port 1080 and UDP port 1040. It 
appears that the worm uses these ports to communicate with its creator and 
report back each time it infects a new machine.


McAfee, based in Santa Clara, Calif., said it received more than 150 
submissions of Bagle.AI on Monday. Bill Franklin, president of Miami-based 
Zero Spam Network Corp., which provides a managed e-mail security and 
anti-spam service, said his company's servers have been bombarded by copies 
of the new variant all day.

"This is by far the worst one of the year," Franklin said.

The latest member of the Bagle family is the fourth variant to be released 
since Thursday, when 
<http://www.eweek.com/article2/0,1759,1624336,00.asp>Bagle.AF hit the 
Internet.


Check out eWEEK.com's Security Center at 
<http://security.eweek.com>http://security.eweek.com for security news, 
views and analysis.

  Als Fastball List
*Email: fastball at pmihrm.com
http://www.alsfastball.com/
http://www.ISCfastball.com/
NEWS: http://www.escribe.com/sports/alsfastball/
TEMP: http://www.fastpitchwest.com/alsfatball.htm

More information about the Alsfastball mailing list