Bagle Variants Keep on Coming

Community

Email Notifications

Write-Ups

Security Blogs

Miscellaneous Blogs

Security Sites

Security Manifest

Benjamin Johnstone-Anderson, Microsoft MVP - Windows Security

BREAKING NEWS: 3 New Bagle Variants Appear; 2 Medium Risk

I reported in the last post here that Bagle.AF has been assigned Medium-On-Watch risk at McAfee (it remains there.) However, since that, three new variants (.AG, .AH, and .AI) have appeared, and .AG and .AI are listed as Medium risk.

They are extensions on the standard Bagle theme, not varying too much from earlier variants. Typical modifications can be found here, with .AF and .AI seeming to have shifted toward an animal-related theme in the subject messages with which they mass-mail.

We're beginning to get some naming confusion here (which actually started in around .J but vendors are now trying to correct unsuccessfully), so to sort things up:

Variant “One”
Computer Associates: Win32.Bagle.AC
Kaspersky: I-Worm.Bagle.ah
Network Associates: W32/Bagle.ag@MM
Symantec: W32.Beagle.AC@mm

Variant “Two”
Computer Associates: Win32.Bagle.AD
F-Secure: Bagle.AH
Network Associates: W32/Bagle.ah@MM

Variant “Three”
Network Associates: W32/Bagle.ai@MM
Sophos: W32/Bagle-AI
Symantec: W32.Beagle.AG@mm

Although little is known about Variant “Two” (which is low risk at McAfee), variants “One” and “Three” appear to mass-mail with messages containing animal themes, such as “Dog,” “Fish,” “Lovely animals,“ or “Predator.” However, some unrelated subject lines exist too, such as “Cool_MP3” and “Garry.”

The remote access function remains in this version, relying on .php scripts hosted on a large number of sites, all with .de suffixes (Germany.) This suggests that, like Netsky, the Bagle worm was created in Germany. However, this may be a smokescreen, especially considering that .com and .net suffixes are also frequently used for German sites, and it is statistically unlikely that a random pool of German sites would all have the suffix .de. This indicates that there is a good chance the virus author intentionally chose only German sites.

More information about individual variants can be found under their various topics here:

http://forums.mcafeehelp.com/viewforum.php?f=23

Posted: Jul 19 2004, 05:51 PM by trafton | with 17 comment(s)

Filed under: VIRUSES, Viruses (Medium), Viruses (Urgent)

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.

Recent Posts

Tags