New Bagle Falls Flat After Big Spam Seeding

Like a previous variant of three weeks ago, the newest Bagle " labeled with a bewildering variety of names by anti-virus firms, including,, Troj/BagleDI-A, and " doesn't actually deliver its payload with the initial e-mail message, but instead downloads it from a long list of Web sites.

The attached .zip file " named or " contains an HTML file that attempts to exploit a vulnerability in Microsoft's Internet Explorer. If the .zip file is opened, the worm installs a copy of itself, then tries to connect to one of 131 Web sites to download a backdoor component that would give the attacker control of the PC as well as the mass mailing code to spread the worm to other machines.

"The outbreak yesterday was very spam like," said Ken Dunham, director of malicious code research for iDefense. "There were just one or two instances at first, and then in a 30-minute window, huge quantities appeared." That characteristic, said Dunham, is indicative of an attacker "seeding" the worm through a major spam mailing.

"The fact that there were 11,000 interceptions [of the worm] in the first hour [by anti-virus firms] makes me think it was a significant seeding of 20,000 to 30,000. And that's a conservative estimate."

Sponsored post

The widespread spamming led analysts to believe that the attacker used a sizable bot network of previously-infected machines to send out the worm. "We're thinking that the author might have control of an [bot] army," said Craig Schmugar, virus research manager at McAfee.

Fortunately for end users who did open the bogus message " which came with the heading "foto" " none of the 131 Web sites intended to host the second-stage components actually had the malicious code.

The code might have been posted earlier, but removed by the Web sites, or it may have not been on the sites to begin with. "Clearly, a bunch of these sites are decoys," said Schmugar.

It's also possible, added Dunham, that the attacker means to put the additional components on the sites later, once the dust settles. "But that's just supposition at this point. We haven't seen that taking place."

Many of the sites are based in Eastern Europe. Their geographic diversity and sheer number, said Dunham, could have made it difficult to get them all shut down in short order had they actually hosted code for Bagle. "The technique has been proven to be effective," he said. "When there are only three or four sites the worm contacts, those can be rapidly shut down. But when you have a list from multiple ISPs and across time zones, it's hard to even get the contact information in a short period to have the sites shut down."

The worm also has other Bagle traits, including copying itself to peer-to-peer network folders with enticing filenames such as Microsoft Office 2003 Crack and Porno Screensaver. It also tries to terminate more than 20 anti-virus updating services and firewall programs.

Among the latter, said U.K.-based Sophos, is Windows XP Service Pack 2's firewall, which is enabled by default in the update. "Just because you're running the latest version of Windows XP you shouldn't think you are necessarily protected from this," said Graham Cluley, senior technology consultant for Sophos, in a statement. "If you launch it on a PC running Windows XP SP2 it can turn off your firewall, opening the door to hackers and other internet attacks." The danger from the newest Bagle, said analysts, is minimal because of the breakdown between spamming and downloading the second stages from the 131 sites. "Quirky" is how Schmugar described the worm and its author's tactics. "We've tagged it as low since the Trojan didn't have anything to download."

iDefense's Dunham also had a low opinion of the worm and its creator. "This looks like the work of a younger attacker, a "script kiddie" kind of attacker who is just cutting his teeth on criminal activity.

This story courtesy of TechWeb .