New Bagle virus declares cyber war

IT security experts have warned that a newly intercepted mutant of the infamous mass-mailing Bagle worm, dubbed Bagle.bb, has begun to spread rapidly across the internet.

Over one million email infections were reported within a few hours of the virus being discovered in the wild on Friday morning. The peak infection rate was between 8am and 9am, when virus infection rates trebled from the hour previously, according to email security company BlackSpider Technologies.

This latest Bagle variant, a mass-mailing worm containing its own SMTP engine, comes packed with PeX with the attachment in the executable of a name, McAfee's Avert antivirus team warned.

Bagle.bb harvests addresses from local files and uses them in the 'From' field to send itself. This produces a message with a spoofed 'From' address. The attachment comes in the form of an executable and opens TCP port 81 for remote access of the user's computer.

According to Avert, users should be very wary and delete any email containing the following:

From: [spoofed address]

Subject:
Re:
Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi

Message Body:
:)
:))

Attachment: The attachment is an executable of name:
Price
Joke

After being executed, Bagle.bb copies itself into the Windows System directory (C:\WINNT\SYSTEM32\WINGO.EXE). The following Registry key is added to hook system startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "wingo" = C:\WINNT\SYSTEM32\WINGO.EXE

The following Registry key is also added to store data (within a 'TimeKey' key): HKEY_CURRENT_USER\Software\Params

Bagle.bb also copies itself to folders containing 'shar' in the name, such as common peer-to-peer applications Kazaa, Bearshare, Limewire, etc.

Luis Corrons, head of PandaLabs, said the virus "is here to pick up the cyber war that started a few months ago between several groups of virus creators. This time, it is a malicious code that uses social engineering and can spread extremely rapidly."