New Bagle variants await instructions for control
New Bagle variants have been discovered and while they don’t spread, they’re just as dangerous as their mass-mailing siblings.
Kaspersky says it has seen large numbers of the new Bagles and reports 15 variants of this latest version, differing in most part in the way they are packed, rather than the virus contained within. But F-Secure says there are at least two new variants of the Bagle worm.
They arrive as an email, but with random subject and messages and randomly-named .exe file attached.
If they are clicked, the attachment runs and copies a version of Bagle to the target system and attempts to turn off security processes protecting the computer and the network to which it is attached.
Kaspersky says the viruses are not fully functional. McAfee adds that the variants have the ability to download further code and instructions from the Internet. It has raised the threat level to medium. F-Secure too says it has seen four different downloader components in this new batch of viruses and that at least some of the variants do have the capability to spread.
‘One feature of these new variants is to use infected computers to seed out emails with the downloader program as an attachment. This explains the big numbers we were seeing,’ said F-Secure’s researchers.
‘Normally Bagle variants search the local hard drive to find email addresses to send itself to. These new variants connect to a web back-end. The back-end server will then return 50 unique email addresses that it generates using directory harvest techniques. The virus will then send a copy of itself to these addresses and loop over.’
F-Secure says it has contacted the company unwittingly hosting the back-end and hopes that it will shortly be shut down.
As ever, security vendors advise end users to follow safe computing best practice and to ensure security software is up to date.