Experts: Spread of agile 'Bagle' worm subsides
By Daniel Sieberg
CNN's Daniel Sieberg reports the spread of the 'bagle' worm appears to be slowing.
|WHAT IS A WORM?|
A program that makes copies of itself -- for example, from one disk drive to another, or by copying itself using e-mail or another transport mechanism.
(CNN) -- The swift spread of an e-mail worm that surfaced over the weekend appears to have reached its peak and may be subsiding, computer security experts said Tuesday.
Dubbed "Bagle" or "Beagle," the subject line of the worm simply reads "Hi" with "test : )" in the body of the message. Once a person clicks on the attachment, the worm sends itself to the recipient's e-mail address book. The worm also randomly selects a name from the address book to use as a return address in the messages it sends.
By spoofing a familiar e-mail address, experts said the person who receives it could be duped into trusting the content.
"Unfortunately there's still ... computer users out there who will click on anything they receive by e-mail," said Chris Belthoff, an analyst at computer security firm Sophos.
Belthoff said when recipients click on the attachment, the virus launches the Windows calculator to disguise the damage it is doing. Behind the scenes, the "Bagle" code also attempts to install a Trojan horse or backdoor program that could allow a hacker to gain remote access to an infected computer.
However, Belthoff said Sophos had received no reports of any overwhelmed networks or hacked computers.
"We're starting to see the activity die down, and we don't expect it to pick up after this," Belthoff said. "But I wouldn't be surprised to see it pick up again in late January or early February."
The "Bagle" virus is coded to expire on January 28, which security experts say is a possible sign that the creator may be using it as a test before sending out more sophisticated variants of it in the future.
Mikko Hypponen, director of anti-virus research at F-Secure, said small companies and private users are most susceptible to "Bagle" since larger corporations would likely be filtering it more effectively.
"Bagle" also attempts to download an unknown program from about 30 Web sites, most of which are hosted in Germany and Russia, Hypponen said.
Mark Sunner, chief technical officer at MessageLabs, said "Bagle" has been reported in more than 130 countries since Sunday.
"Bagle" was first discovered January 18, he said, but because of its basic nature, security experts initially felt it wouldn't spread very rapidly.
Instead, "Bagle" is now being compared to the earlier "SoBig" virus, not because of its destructiveness, but because of its speedy movement online and expiration date, as well as experts' suspicions that it could be connected to spammers.
Spammers are increasingly using viruses to steal e-mail addresses, take over computers to send more spam or attack anti-spam sites, said F-Secure's Hypponen.
If someone suspects they may have been infected with "Bagle," experts recommend doing a virus scan and updating any security software.