March 26, 2004, 11:00 AM — Antivirus software companies are again warning e-mail users about a new version of the popular Bagel virus, which is spreading on the Internet through infected e-mail messages and targeting machines running the Microsoft Corp. Windows operating system.
Bagle.U is the 21st version of an e-mail worm that first appeared in January. Unlike earlier versions of the worm, the new variant eschews tricky subject lines or enticing messages, hiding in a file attachment to otherwise blank e-mail messages. Once opened, Bagle.U opens a back door to infected systems, mails copies of itself to e-mail addresses it steals from the user's computer and even launches the Windows Hearts card game, antivirus companies said.
Thousands of copies of the new Bagle variant was first spotted on Friday, following what is believed to be an initial e-mail "seeding" of the virus, according to iDefense Inc., an information technology (IT) security services company in Reston, Virginia.
Citing the number of infected e-mails, Network Associates Inc.'s Antivirus Emergency Response Team (AVERT) rated Bagle.U a "medium" threat. Antivirus company F-Secure Corp. of Helsinki rated the latest version of Bagle a "level 2" threat, indicating "large infections," F-Secure said.
As with earlier versions of the Bagle worm, the virus code is contained in an executable (.exe) format file with a randomly generated name. Users must double click on the file to open it. Also, many organizations block e-mail containing executable files from reaching users' inboxes.
Once launched, the Bagle worm installs itself on Windows systems, begins listening for instructions on communications port 4751 and connects to a Web site in Germany to report the identity of the infected machine to the worm's author, F-Secure reported.
Bagle is one of a series of worm families that have been plaguing e-mail users in recent months. New versions of Bagle, as well as MyDoom and Netsky have been surfacing on an almost daily basis since January, prompting a frenzy of activity among antivirus researchers who must identify and develop antidotes for each new variant.
Experts are at a loss to explain the recent proliferation of worms, though some have cited an apparent "war" between the authors of the Bagle and Netsky worms as the motivation for the release of many of the variants.
The latest is programmed to stop spreading on Jan. 1, 2005. However, at least one antivirus expert expects many new versions of Bagle to be released in the coming weeks.
"Bagle.U will not be the last Bagle worm we see. Get ready to re-learn your ABCs as we head into the AA-Z series of Bagle worms," said Ken Dunham, director of malicious code at iDefense in an e-mail statement.
Multiple, contemporary variants of the same malicious code will help the latest worms succeed in the wild, Dunham said.