Fast-Moving Bagle Worms Open PCs’ Backdoors

Two new versions of the venerable Bagle worm are on the loose, infecting PCs and opening backdoors as they go.

The pair are virtually indistinguishable from one another and also are quite similar to most of the other Bagle variants. The main area of concern for enterprises is the fact that both Bagle.BC and Bagle.BD open a backdoor on TCP Port 81 on infected PCs. Both versions were discovered early Friday morning.

Bagle’s success puzzles virus researchers. Read about it here.

Both variants are capable of spreading through peer-to-peer networks, as well as via e-mail. Both arrive in e-mail messages with spoofed sending addresses and one of a handful of meaningless subject lines, such as “Re:” “Re: Hello” or “Re: Thank you.” The bodies of both variants contain just a single emoticon, and the name of the virus-infected attachment is either “Price,” “price” or “Joke.”

Once installed on a user’s machine, the two variants try to download and execute a file from one of several dozen Web sites. And they both attempt to terminate a number of running security-related processes on the machine, according to an analysis of the worms by McAfee Inc., in Santa Clara, Calif.

One key difference between the two is that Bagle.BC also tries to terminate running copies of several of the NetSky worms. And Bagle.BD installs a file named “Wingo.exe” on infected machines.

Bagle.BD seems to be moving more quickly than its older brother.

“It is spreading quickly. We’ve seen quite a few submissions from both our consumer and enterprise customers,” said Stefana Ribaudo, a product manager in Computer Associates International Inc.’s eTrust unit, based in Islandia, N.Y.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzer’s Weblog.

When asked to comment on the apparent success the new virus has had, BitDefender Chief Technology Officer Bogdan Dumitru declared: “At this time, I can think of no reason other than deft initial seeding. The author, or authors, must have had a list of vulnerable machines at hand.”

Once the backdoor is opened on Port 81, the worms listen passively for instructions from a remote host. Experts say that the worm likely will try to upload more files to infected PCs at some point in the future.

eWEEK.com Security Center Editor Larry Seltzer contributed to this story.

Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis.

Be sure to add our eWEEK.com security news feed to your RSS news-reader or My Yahoo page