NEWS FROM THE LAB - Tuesday, March 1, 2005

Clearing up the Bagle mess Posted by Mikko @ 14:31 GMT

Lets try to clear up the messy situation with today's Bagle-related malware.

We were baffled in the morning about the invasion of the Bagle-related downloaders that wouldn't replicate. There were several different versions of these downloaders, all of which were polling a long list of websites for a mystery program to download and run (we're still monitoring these sites constantly to see what will happen).

Then we figured what was going on: there are at least two new variants of the Bagle worm going around too. One feature of these new variants is to use infected computers to seed out emails with the downloader program as an attachment. So in addition of sending out emails with the virus, they send out emails with a downloader which won't spread further. Lots of them.

So far, we've seen 4 different downloaders and 2 different Bagles...most likely there's two more Bagles out there that we haven't found yet. We're detecting most of the Bagles of this type generically as Bagle.pac.

There's something else too. These new Bagle variants are using a client / server architecture to spread further. What? A Client / Server virus? Yup.

Normally Bagle variants search the local hard drive to find email addresses to send itself to. These new variants connect to a web back-end. The back-end server will then return 50 unique email addresses that it generates using directory harvest techniques. The virus will then send a copy of itself to these addresses and loop over.

A typical list of addresses returned by the server looks like this:


This back-end server is being hosted on a hacked page at oceancareers.com. We've sent them an abuse message about this and hopefully the service will shut down soon.

Update at 16:18 GMT: We just got confirmation from Hosting 4 Less that the site has been taken offline. Great!