By Robert Lemos, 2 September 2004 09:10
NEWS Another version of the Bagle mass-mailing computer worm started spreading this week, but it likely won't get far, security experts said.
The virus, known both as Bagle.dll.dr and W32.Beagle.AQ, attempts to turn off security software on a victim's PC and then tries to download the majority of its malicious programming from 125 websites. However, the virus has not spread far because many of the websites cannot be contacted.
"For the most part, it's a list of websites that don't work," said Allysa Myers, virus research engineer for security software provider McAfee.
McAfee rated the virus as a low threat, and rival Symantec gave the program a two on its five-point scale of danger. Symantec also confirmed that at least half of the websites listed in the virus' code were not active.
"Overall, this is not one that we are watching to increase dramatically at all," said Alfred Huger, senior director of Symantec's security response group.
The latest incarnation of the Bagle virus is largely a copy of previous versions of the program. The first worm in the Bagle line started infecting computers in January.
Increasingly, computer viruses are used to spread software that surreptitiously uses computers to serve an attacker's purpose. Such "bot" software can be used by spammers and attackers to disrupt access to websites or collect personal financial information.
The latest variant of the Bagle virus arrives as an attachment - called "foto.zip" - to an email message. Opening the Zip archive and running either the HTML file or the program file will infect any Windows computer with the virus, unless the PC is protected by up-to-date antivirus software. If the Bagle virus cannot download any further instructions from the listed Web sites, it will only attempt to turn off security on the PC and copy itself to several folders, including any shared directories.
However, if it does download the additional instructions, Bagle will send itself out to any email addresses it finds on the PC, skipping any that belong to major software companies, Linux companies and security providers - a tactic that has become a common way to delay detection of such viruses.
The enhanced virus also will open a back door into the victim's computer to create an email relay, which can be used by spammers to route bulk email through the PC.
As security-conscious Internet service providers shut down the malicious and compromised websites, the latest Bagle variant will find it increasingly difficult to spread.
Robert Lemos writes for CNET News.com
In order to post a comment you need to be registered and logged in.
Log in or create your silicon.com account below