The mass-mailing computer virus, dubbed Bagle.AF or Beagle.AB by different security firms, opens a path for intruders to relay bulk email messages through the infected computer and attempts to contact one of almost 150 compromised German Web sites to let the attackers know of their latest conquest.
"It certainly is successful," said Oliver Friedrichs, senior manager for antivirus firm Symantec's security response centre. "It is definitely comparable to threats that we saw earlier this year such as MyDoom."
Symantec raised the virus to a threat rating of three on its five-point scale, while rival antivirus firm McAfee -- formerly Network Associates -- gave the program a medium danger rating.
The latest incarnation of the Bagle virus is largely a copy of previous versions of the program, Friedrichs said. The first worm in the Bagle line started infecting computers in January.
Bagle.AF arrives in email as an attached file and infects computers running the Windows operating system if the user opens the file. The program attempts to halt more than 250 security applications from running on the computer, mails itself to any email address it can find on the computer, and contacts one of 141 German Web sites, twice the number that a previous version of the virus contacted. The diverse range of Web sites have probably been compromised by online vandals, leaving behind software to record which computers have been infected by the Bagle worm.
With that information, the vandals can use the compromised computers to spread spam, or sell the information to spammers, Friedrichs said. The virus leaves open a backdoor specifically for that purpose.
Increasingly, computer viruses are used to spread software that surreptitiously converts computers to an attacker's purpose. Such "bot" software can be used by spammers and more dangerous online denizens to disrupt access to Web sites or collect personal financial information.
And while the latest Bagle worm uses an old method of spreading itself, it's still effective. Symantec has had almost 175 reports of infections, Friedrichs said.
"I think what we are seeing is that these threats will continue to be successful because people are continuing to trust attachments and continuing to click on them," he said. "Really, the human factor is the weakest link that is allowing these worms to be so successful."
Talkback
Robert Lemos writes that the latest Bagle worm uses an old method of spreading itself, it's still effective. This is precisely the point made by SecureWave CEO Gerard Lopez when he challenges the AV vendors stating that AV methods are now outmoded because they only protect against the last known attack. SecureWave advocates a solution that sits in the kernel of the operating system, scans the binary code and prevents malware from executing on the system. So even if you think the Bagle attachment is from a trusted source and you click on it, it cannot execute on the system if the kernel solution does not recognise it as acceptable code.
Gerard Lopez would agree that the human factor is allowing these worms to be successful, but we can combat this by placing a security solution within the computer operating system itself and only allowing what is known and authorised to run on it and preventing everything else.
In this "white list" model, only specific applications may be run by certain users, nothing else; only specific external devices can connect and store data, nothing else!
End users can't be expected to disable unused ports and services. In fact, most wouldn't have a clue about the volume of TCP and UDP ports available on their machines. By running seemingly innocuous applications, users can unwittingly open the door for crackers and viruses. By applying a white
list you can prevent users from launching unauthorised software and prohibit
the running of all executable files that may carry viruses, trojans and worms or "backdoor" programmes such as spyware.
If anyone got this worm, I would appreciate if he can send it to me 'zgadot1@yahoo.com' for research purposes.