By Robert Lemos, 18 February 2004 08:55
NEWS A variant of the mass-mailing Bagle virus started spreading Tuesday, as US businesses returned from the long weekend.
Like the original virus, Bagle.B spreads by sending an email message with an attached copy of its code; a PC is infected when the recipient opens the attachment. The virus, which is programmed to stop spreading 25 February, installs software on a person's PC to allow Bagle.B's creator to take control of the computer.
While the current variant of the virus is similar to the original Bagle, it seems to have taken off a bit faster, said Joe Telafici, director of operations for the antivirus and vulnerability emergency response team at security company Network Associates.
"We are seeing a little bit bigger spike with [reports of] the B variants than with the original virus," he said. The first reports of Bagle.B started coming in at 4:30 am PST, he added, but by 7 am, the rate at which customers submitted reports started falling off. "It is already tailing off rapidly," he said.
Network Associates rated the virus a "medium" threat, and rival security company Symantec similarly gave the program a 3 on its 5-point scale for Internet threats. Email security firm MessageLabs said it stopped about 17,000 copies of the attachment in email messages blocked by its service.
Bagle.B, also referred to as Beagle.B by Symantec, appears in an email that may come from someone the victim knows. The email has a subject line of "ID (random number)...Thanks." The virus is attached to the email as an .exe file, which, when opened, will infect the computer.
Like the Sobig viruses, Bagle.B is capable of sending its own email out, which means that it can efficiently create a steady stream of infected messages. The virus also grabs email addresses from various files - including web caches, text files and address books - on a person's computer and uses a randomly selected address in the "from" field of each email it sends.
The virus installs a remote-access program and notifies the author of newly infected PCs by contacting several German websites and submitting the computer's information, Network Associates' Telafici said. He added that it seems likely that the attacker plans to use a computer compromised by the virus to send bulk email.
"I still suspect this is as much spam-related as anything else," he said. "The author is collecting machines that will be used for some future event."
Robert Lemos writes for CNET News.com
In order to post a comment you need to be registered and logged in.
Log in or create your silicon.com account below