A new variant of the Bagle worm is spreading more quickly than anticipated, infecting computers in Brazil, Canada, France, the Netherlands, Taiwan and the United States.
According to McAfee, the industry leader in antivirus software, the majority of infections occurred among home users, not in corporate networks. After receiving more than 150 reports of the variant — a mass-mailing worm that comes in the form of a Zip file — McAfee raised its threat level to medium.
Beware Zip Files
The new variant, known as Bagle.aq, collects addresses from e-mail software on the infected computer and places them in the ‘From’ field when it sends itself. The message with the spoofed address therefore appears to be from a legitimate user.Attached to the message is a Zip file containing an HTML and an EXE file.
On unprotected systems, the HTML file will automatically run the EXE file, which is a downloader trojan. The trojan then contacts remote web sites to retrieve the worm itself.
According to McAfee, the variant includes a remote access component that sends out a notification and copies itself to folders that have ‘shar’ in the name, such as peer-to-peer (P2P) applications Kazaa, Bearshare and Limewire. This component allows the virus to spread over P2P networks.
Bagle Does Windows
Like older variants of Bagle, the new worm contains a backdoor that allows the virus’s author to control infected machines.
The Bagle variant infects systems running Windows 2000, 95, 98, Me, NT and XP. It does not affect systems running DOS, Linux, the Macintosh operating system, Novell Netware, OS/2, UNIX, or Windows 3.x.
Analysts recommend the usual steps: Don’t open unsolicited attachments, even when they appear to come from people you know; update antivirus tools; and update Explorer with the latest patches.