Latest Bagle mutant on the rampage

Security experts have today warned of a newly discovered Bagle mutant which is spreading in the wild from several countries.

Bagle.AY is similar to Bagle.AX in that it is polymorphic and arrives in emails with variable subjects and attachments. It also has peer-to-peer spreading capabilities.

Security firm F-Secure has warned that the worm also contains a backdoor that listens on TCP port 81. This password-protected backdoor code allows a hacker to connect to an infected computer and execute arbitrary programs.

Infected computers are reported to the worm's author by accessing several predefined URLs. Once installed on a compromised PC the worm tries to download and execute a file from this list of locations.

Bagle.AY also terminates security processes and antivirus software as well as some other applications.

The worm arrives in email as a packed executable, and can also spread with a Windows Control Panel Applet 'stub', a small program routine that substitutes for a longer program.

Somewhat oddly the worm has been programmed to cease its activity on 25 April 2006, so if a PC's system date is 25 April 2006 the worm uninstalls itself by deleting its start-up key in the Registry and terminating its own process.

When the worm's file is run, it copies itself as 'sysformat.exe' to Windows System folder and creates a start-up key for this file in the Registry. The worm creates two more files in Windows System folder: 'sysformat.exeopen' and 'sysformat.exeopenopen'.

These files are used when the worm spreads itself in emails. Bagle.AY scans the hard drive to collect email addresses of possible victims, but specifically excludes any addresses associated with antivirus and security companies.

The worm is particularly difficult to detect as it spreads itself in emails with randomly chosen subject lines, mail bodies and attachment names.

F-Secure noted that the worm can attach itself to emails as an executable file with com, exe, scr and cpl extensions.

Bagle.AY uses the following text strings as subjects for infected emails that it sends:

Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active

Message bodies are randomly chosen from a predefined list:

Thanks for use of our software
Before use read the help

Attachment names can be one of the following with exe, scr, com, and cpl extensions:

wsd01
viupd02
siupd02
guupd02
zupd02
upd02
Jol03

"When spreading as a Windows Control Panel Applet file, the worm adds a small binary dropper to its executable file," said F-Secure.

"When the CPL file is activated, it copies itself as 'cjector.exe' file to Windows folder and then drops the worm's file into Windows System folder."