Fast-Moving Bagle Worms Open PCs' BackdoorsBy Dennis Fisher | Posted 2004-10-29 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Two new variants of the Bagle worm are spreading quickly, infecting PCs and opening backdoors.Two new versions of the venerable Bagle worm are on the loose, infecting PCs and opening backdoors as they go.
The pair are virtually indistinguishable from one another and also are quite similar to most of the other Bagle variants. The main area of concern for enterprises is the fact that both Bagle.BC and Bagle.BD open a backdoor on TCP Port 81 on infected PCs. Both versions were discovered early Friday morning.
One key difference between the two is that Bagle.BC also tries to terminate running copies of several of the NetSky worms. And Bagle.BD installs a file named "Wingo.exe" on infected machines.
Bagle.BD seems to be moving more quickly than its older brother.
"It is spreading quickly. We've seen quite a few submissions from both our consumer and enterprise customers," said Stefana Ribaudo, a product manager in Computer Associates International Inc.'s eTrust unit, based in Islandia, N.Y.
When asked to comment on the apparent success the new virus has had, BitDefender Chief Technology Officer Bogdan Dumitru declared: "At this time, I can think of no reason other than deft initial seeding. The author, or authors, must have had a list of vulnerable machines at hand."
Once the backdoor is opened on Port 81, the worms listen passively for instructions from a remote host. Experts say that the worm likely will try to upload more files to infected PCs at some point in the future.
eWEEK.com Security Center Editor Larry Seltzer contributed to this story.
Check out eWEEK.com's Security Center for the latest security news, reviews and analysis.