New Bagles Stir Firms To Bump Up Warnings
"So far 2005 has been fairly quiet in terms of brand new virus outbreaks," said Graham Cluley, a senior technology consultant for Sophos in a statement. "And if everyone applied computer security common sense it would help keep it that way."
The newest variations -- which because of the large number of Bagles sport a bewildering array of names depending on the anti-virus vendor -- are relatively standard copies of the long-running worm family. Bagle.ax and Bagle.ay (the two most common monikers for the worms) come disguised as e-mail delivery error messages to entice users to open the attached file, spread via peer-to-peer and network file sharing, disable numerous anti-virus and firewall products (including Windows XP SP2's Security Center and that OS's on-by-default firewall), and retrieve a backdoor component from one of a large number of remote Web servers.
Vendors such as McAfee, Panda Software, Trend Micro, and F-Secure bumped up their alert ratings Thursday to "medium" because of the worms' quick spread. This is the first time, for instance, that either McAfee or Trend Micro have assigned that ranking to a worm or virus in 2005.
According to Trend Micro's analysis, the newest of the two, Bagle.ay, also opens TCP port 81 to listen for commands from the attacker, and -- believe it or not -- still takes pot shots at 2004's Netsky worm.
Nearly a year ago, the Netsky and Bagle authors played a tit-for-tat game where each new version of their worms tried to eradicate the other. Bagle.ay keeps up the habit by deleting several Windows registry keys that Netsky plants, and preventing future Netsky infections from running.
By mid-morning Thursday (PT) all the major anti-virus firms have posted virus signature updates to take into account both Bagles.