Showing results for 
Search instead for 
Did you mean: 

New Virus Varients announced


New Virus Varients announced

New Bagle Variants on the Loose

During October 29, 2004, MessageLabs, the leading provider of managed email security services to businesses worldwide, intercepted several copies of two new variants of the well-known Bagle family virus.

While investigations are continuing, the new variants are polymorphic multi-stage viruses that harvests email addresses, spread via mass-mailing, copy themselves to folders commonly used by peer-to-peer applications in an additional attempt to propagate, install a remote access component on TCP port 81 and attempt to download files from a website.

Name: W32/Bagle.BA@MM and W32/Bagle.BB@MM
Number of copies intercepted so far: 887,000+
Time & Date first Captured: 29 October, 2004, 7:00 am GMT

Referred to as Bagle.BA and Bagle.BB, one of the variants tries to block the Netsky virus on computers infected with it.

Both harvest addresses from local files and uses those addresses in the "from" field to send itself. Recipients then receive a bogus e-mail with a spoofed sender address which may appear to come from a legitimate friend, associate or family member.

The spoofed subject header will contain greetings such as "Hello," "Thank you!" and "Thanks : )” and the viruses spread when email attachments named "price," "Price" or "Joke” are opened.

Once the viruses have been released, they will copy themselves to the Windows system directory and open TCP Port 81 as a means for remote access to the compromised machine.

Once installed on a user's machine, the two variants try to download and execute a file from one of several dozen Web sites. And they both attempt to terminate a number of running security-related processes on the machine.

One key difference between the two is that Bagle.BB also tries to terminate running copies of several of the NetSky worms while the other installs a file named "Wingo.exe" on infected machines.

The authors of the Bagle and Netsky variants have taken to taunting each other in the worms' software code. The Bagle virus also tries to disable antivirus software loaded on people's computers.

The most recent versions of the Bagle virus belong on a long list of variants of the virus, which began infecting computers in January.

The pair is virtually indistinguishable from one another and is similar to most of the other Bagle variants. Both versions were discovered early Friday morning.

Email Characteristics

Subject: Various, including:

• "Hello"
• "Thank you!"
• "Thanks : )”

Body Text: Various, including:

• : )
• : ))

Attachment name: Various, including:

• "price"
• "Price"
• "Joke”

Size: Various

MessageLabs detected all strains of this virus proactively, using its unique and patented Skeptic™ predictive heuristics technology.


New Virus Varients announced

Good call.

The BBC website mentions this as well, but most virus checkers should be trapping this now.

A number of users had recieved e-mail initially where the Force9 e-mail anti-virus checker didn't pick this up.