The return of the Bagle

A new variant of the Bagle worm appears to be spreading rapidly. Kaspersky Lab says it has already caused a serious outbreak and uses a range of methods to ensure propagation.

The worm arrives as an email with a range of short messages in the subject and message fields and a file attached named wsd01, viupd02, siupd02, guupd02, zupd02, upd02 or Jol03. The files are either Windows executables (.exe) or may have a prepended Windows Control Panel Applet (CPL) stub.

Once run, the worm copies itself locally and edits the Registry to ensure that it is run each time the computer is started.

It scans the hard drive for email addresses which it uses to propagate itself. However, it avoids sending copies of itelf to antivirus companies and email addresses that might be related to help and support services.

To avoid detection for as long as possible, Bagle searches out and closes down any processes it finds running that it believes are connected to antivirus or security software. This will leave the system open to further attacks.

It also copies itself under a variety of filenames to folders with ‘shar’ in the name in the hope that they will be copied into file-sharing networks and across shared resources in local networks.

In addition it opens a backdoor, listening for commands over port 81. It tells the attacker of the presence of the infected system by contacting a set of URLs. The author further protects the backdoor from use by other attackers by encrypting the channel and adding password protection.

Most antivirus companies have already added the new Bagle variant to their databases and their customers should be protecteed if their software is up to date.

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

Todays Highlights
How to See Google Search History
how to download photos from google photos