Ha, ha you're infected

New Bagle worm poses as 'joke' message

A new version of the infamous Bagle worm series is spreading widely across the net.

Bagle-AS (AKA Bagle-AZ) normally arrives in emails with a price or joke-related (infected) attachments with exe, cpl, scr or com extensions. Subject lines are picked one of a series of innocuous greetings such as Re: Hello, Re: Thank you! or Re: Hi. Open these on a vulnerable Windows box and you get the pox.

The worm scours the hard disk of infected PCs for the email addresses of potential victims. In common with its siblings, Bagle-AS bulk-mails copies of itself to target addresses using its own SMTP (simple Mail Transfer Protocol) engine. The From: lines of these messages are spoofed.

Bagle-AS also spreads via P2P networks, such as Kazaa, by secreting copies of itself on the shared folders of infected PCs. The worm also tries to disable a range of security applications, along with any instances of the NetSky worm it finds on infected machines.

As with previous variants, Bagle-AS contains a backdoor that enables virus writers or their associates to control infected machines. Bagle-AS is a Windows-only risk. Most AV vendors rate Bagle-AS as a medium category nuisance. Standard precautions apply (vigilance about unsolicited messages, updating AV protection, tin-foil hats etc.) ®

Related stories

P-cube goes hunting for zombie PCs
Sasser author gets IT security job
New Bagle worm drops in and downloads
Price isn't right for new Bagle variant

Sponsored: Designing and building an open ITOA architecture