Security Manifest : Viruses (Medium)

A Smattering of Sobers

trafton — Tue, 15 Nov 2005 20:52:00 GMT

It's not often we get prior warning of worms spreading. But yesterday, German officials warned that we would see a new Sober variant using the attachment names “Word Text.zip” or “registration.zip” and, sure enough, we have Sober.V. Unfortunately, on the same day, we also have Sober.S, Sober.T, and a fairly minor variant, Sober.U. Although none are spreading extremely rapidly, both have been reported in the United States, Germany, and several other countries.

An article from About.com is available here. Amusingly, as the article points out, antivirus vendor Trend Micro published a description for the worm (as WORM_SOBER.AD) before it was released - and dubbed it as in the wild! Impressive forethought, indeed.

Users should be careful with any executables or files that can contain executables (like .zips), of course. Conventional common sense is the key to avoid infection with worms like Sober. Filenames associated with these threats are reg_text.zip (Sober.S), excel_table.zip (Sober.T), tabelle.zip (Sober.T), registration.zip (Sober.V), and Word-Text.zip (Sober.V).

Daily Update -- Tuesday, November 1st, 2005

trafton — Tue, 01 Nov 2005 22:59:00 GMT

Two new viruses worth mentioning today - one a mass-mailer spreading, one an interesting conceptual specimen.

Bagle-Based “Lodear“ Appears
A new worm family, Lodear, has appeared. The first variant seems to be spreading some in the wild. Information can be found here. Some antivirus companies consider this a variant of Bagle itself, and the family may be merged with the Bagle name. Lodear is similar to past Bagle variants. The primaray symptom of infection is a file called hloader_exe.exe in the Sytem folder.

First KiXTart Virus Appears
A virus infecting .KIX (KiXTart Script File) files has appeared. This is unlikely to effect most people, but it is the first example of such a virus. Information is here. KiXTart is a batch processing script that runs at logon on some Windows computers. For more information on KiXTart, see here.

Sober.R - Developing Outbreak

trafton — Thu, 06 Oct 2005 01:27:00 GMT

A new worm, Sober.R, is spreading moderately in the field. More details about this when they are available, and can be found here in the meantime: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=136390

OUTBREAK: Zotob.E (IRCBot) worm hitting unpatched systems

trafton — Tue, 16 Aug 2005 22:18:00 GMT

A new worm utilizing the MS05-039 vulnerability has became a major outbreak. More coverage upcoming.

Details
IRCBot is a fast-spreading worm affecting systems not patched for the MS05-039 vulnerability. Infected machines will reboot frequently, as well as connect to an IRC server and await further instructions

Protection
Detection of this worm, as it is an outbreak, should be released very soon, if it is not already out.

The Gist
IRCBot is an urgent outbreak and all systems should be patched that have not already been.

Links
McAfee - Write-up.

Zotob - New worm hitting unpatched machines

trafton — Mon, 15 Aug 2005 00:57:00 GMT

A new version of the extensive and successful MyDoom worm family has appeared. Fortunately, like many recent variants, this version has got off to a slow start and is unlikely to become a major threat.

Details
MyDoom.CF was discovered Tuesday, June 28th, 2005. It is a standard MyDoom family member, faking the email address it is sent from. Messages MyDoom.CF use typically make a relatively unsuceesful attempt at seeming either personal (“Is it your name listed here? It seems this is the Pentagon listing“) or official (“Your file hasn't passedour security check and thus was returned“) and are typically caught by spam filters, if they are present. MyDoom.CF is not a very damaging virus, and exists only to spread. Attachments associated with MyDoom.CF are 32,256 bites in size, although if in the .zip format, they can vary.

Protection
Detection for this worm may be covered generically under some current DAT files, as it is an unremarkable variant of a well-known worm family. Updates will likely start appearing within the next 24 hours. As this is a low-risk threat, emergency detection releases are unlikely. MS05-039 can be downloaded at windowsupdate.microsoft.com.

The Gist
MyDoom.CF, although it may spread some, is an unremarkable MyDoom variant and does not pose a significant risk at this time.

Links
F-Secure - Write-up.

Sober.P - New Medium Risk Worm

trafton — Tue, 03 May 2005 00:42:00 GMT

Sober.P is a mass-mailing worm that was discovered earlier this afternoon and, as with all Sober worm variants that have previously became common, is spreading quickly, especially in Germany, where the family originates. Unlike previous variants, it is spreading much more quickly among home users than it is corporate users. McAfee, for instance, has upgraded it to Medium risk for home users only. In the past, we've seen Sober spread pretty equally between both classes, heavily relying on international business between the United States and Germany.

Messages containing Sober.P typically follow the usual Sober profile: the message body is in poor English or decent German, with the attachment either suggesting that it originates from the system administrator of the email service or is a friendly joke. The message body, on the other hand, can be one of two things: in German, it involves the apparent suggestion of tickets to a soccer game. The English version promises that “account and password information are attached!“ [sic].

Details
Sober.P was discovered on May 2nd, 2005, with details first published around noon PST. It is a worm that spreads via email. It also terminates a small handful of security programs. The attachment containing Sober.P varies, but is always one of the following: account_info.zip, autoemail-text.zip, LOL.zip, Fifa-Info_Text.zip, mail_info.zip, okTicket-info.zip, our_secret.zip, or _PassWort-Info.zip.

Protection
Updated detections for most antivirus programs should appear within the next 24 hours or so when they have not already. Although some antivirus companies rate this worm as a Medium risk, others do not; this may mean that emergency detections will be issued by some companies, but not others. Infected users should wait for detection files and/or more detailed information and removal information to be published before attempting to remove the worm. Until then, infected users should avoid connecting to the Internet or any open network.

The Gist
Like previous Sober variants, Sober.P is written in poor English and will probably raise red flags among users more experienced with worms. However, since this variant is especially common among home users, unlike previous versions, the infected usergroup may be less likely to know where to look for these red flags. Although it is not an outbreak, Sober.P is still spreading quite rapidly and warning precautions should be taken and antivirus programs updated. Germany and the United States, as well as possibly Australia and Great Britain (if the worm follows previous Sober family members' track) may be hardest hit.

Links
McAfeeHelp Forums - Excellent resource for latest information and updates.
Secunia - Compiles latest descriptions and links.
Trend Micro - An excellent and detailed description with generic removal instructions. Refers to worm as Sober.S.
McAfee - Detailed description with excellent, specific removal instructions.
Symantec - Detialed description, but with no specific removal instructions. Refers to worm as Sober.O.
F-Secure - Detailed description with no removal information.
Sophos - At this time, no information posted.

Sober.L - New Sober Variant Going Around

trafton — Mon, 07 Mar 2005 21:52:00 GMT

Sober.L is mass-mailing worm that appeared this morning around 10 AM PST and is believed to be spreading rapidly in Germany, and is beginning to appear in several other countries. The worm, like previous Sober variants, spreads in both English and German email addresses, depending on the language of the installed copy of Windows.

Messages containing Sober.L typically pretend to be from an administrator in regards to the victim's password. The emails are written with poor capitalization and broken English. Hopefully, this will be a warning flag that will limit spread outside of Germany (although the German message also suffers from poor punctuation and capitalization.)

Sober.L has been declared a Medium risk at Trend Micro.

Details
Sober.L was discovered on March 8, 2005, with details first published around noon PST. It is a worm that spreads via email. It also terminates a small handful of security programs. The attachment containing Sober.L is named either MailTexte.zip (German) or acc_text.zip (English).

Protection
Updated detections for most antivirus programs should appear within the next 24 hours or so. It is unlikely emergency detection will be published, as the worm reminds a Low risk threat on all descriptions at this time. In the meantime, users should practice common sense and avoid opening suspicious emails, and, when in doubt, contact the alleged recipient to see if they really sent them.

Infected users should wait for detection files and/or more detailed information and removal information to be published before attempting to remove the worm. Until then, infected users should avoid connecting to the Internet or any open network.

Links
McAfeeHelp Forums - Excellent resource for latest information and updates.
Secunia - Compiles latest descriptions and links.
Trend Micro - Detailed write-up with good removal instructions.
Symantec - Detailed write-up with limited removal instructions.

Crog aka Fatso - MSN Messenger Outbreak

trafton — Mon, 07 Mar 2005 21:38:00 GMT

Crog (also known by several other names, such as Sumom, Serflog, and Fatso - the last name which is likely to become the media name) is an MSN Messenger worm that appeared today and is spreading quickly, earning Medium risk from some antivirus companies. The worm sends itself to victims via MSN Messenger from the infected computer. File names are likely to end in a .pif extension, but there is a 1-in-12 chance that the extension will instead be .scr. Most of the file names infer a photograph, either humorous or pornographic in nature.

Crog has been declared a Medium Risk threat at Sophos, Trend Micro, and Secunia.

Details
Crog was discovered on March 7, 2005, with details first published shortly after midnight GMT. It is a worm that spreads via MSN Messenger and the eMule P2P network. Additionally, machines infected with Crog will have their security settings adjusted to lower levels. Access to security related web sites is blocked on Crog-infected computers, and a range of security programs also is disabled by the worm. The worm also intercepts CD writes and adds itself to them - this is an uncommon feature in worms.

Protection
Updated detections for most antivirus programs should appear within the next 24 hours or so. It is unlikely emergency detection will be published, as the worm reminds a Low risk threat on all descriptions at this time. In the meantime, MSN Messenger users should exercise common sense and not open any executable file format that is sent to them randomly, including .pif and .scr, which this worm uses.

Links
McAfeeHelp Forums - Excellent resource for latest information and updates.
Secunia - Compiles latest descriptions and links. Refers to worm as “Fatso.“
Trend Micro - Excellent, highly detailed write-up with pictures. Refers to worm as “Fatso.”
Symantec - Fairly detailed write-up without some additional details. Uncluttered. Refers to worm as “Serflog.”
Panda - Fairly detailed write-up. Excellent removal instructions. Refers to worm as “Fatso.“
F-Secure - Fairly detailed write-up. No removal instructions. Refers to worm as “Sumom.“
McAfee - Fairly detailed write-up. No removal instructions.
Sophos - Fairly detailed write-up. No removal instructions. Refers to worm as “Sumom.”

Kelvir.B Worm - Developing Minor MSN Messenger Outbreak

trafton — Sun, 06 Mar 2005 23:49:00 GMT

Kelvir.B (Kelvir.A at Symantec) is an MSN Messenger worm that appeared yesterday, has now been characterized by Symantec as spreading in the field. The worm arrives as a link to the file cute.pif on a web site on the home.att.net domain. It also downloads a variant of W32/SDBot, a backdoor and open share worm, as patch.exe from a web site on the home.comcast.net domain.

Details
Kelvir.B was discovered on March 6, 2005, with details first published shortly after midnight GMT. So far, details are limited, other than that at this time it appears that the targeted web sites are still up (I am unable to verify this as no description that includes the URL uncensored has yet been published).

So far it is unknown how quickly Kelvir.B is spreading, but Symantec's characterization of the worm as Medium on their Wild scale and their publishing of a temporary description while they were investigating the threat suggests that it may be spreading somewhat quickly in the MSN Messenger community.

The format for messages is “omg this is funny! (Link to worm)“.

Protection
Updated detections for most antivirus programs should appear within the next 24 hours or so. It is unlikely emergency detection will be published, as the worm reminds a Low risk threat on all descriptions at this time. In the meantime, MSN Messenger users should exercise common sense and not open any executable file format that is sent to them randomly, including .pif, which this worm uses.

Links
Secunia - Compiles latest descriptions and links.
Sophos - Basic description with some details. No removal instructions. “More detailed information to follow shortly.“
McAfee - Basic description with some details. No removal instructions.
Symantec - Very basic description with no details. No removal instructions. “More information [will be posted] as it becomes available.” Refers to worm as “Kelvir.A.”

MyDoom.BB - Medium Risk

trafton — Thu, 17 Feb 2005 02:15:00 GMT

MyDoom.BB, or .AX at Symantec, has been upgraded to a medium risk rating and is spreading rather quickly. More information available here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html
http://vil.mcafeesecurity.com/vil/content/v_131856.htm

Extended coverage tomorrow afternoon.

Bropia.G - MSN Users Should Remain Vigilant

trafton — Fri, 04 Feb 2005 23:05:00 GMT

We may just now be seeing the first notable outbreak of an MSN Messenger worm.

Bropia.G, known by various other letters depending on the antivirus company, is a variant of the slightly successful Bropia family. Like past variants, .G spreads via MSN Messenger to any contact that changes their status (i.e. Busy to Away). Also like previous variants, it contains a backdoor (a version of Spybot). McAfee has details here.

Previous versions heavily utilized the Windows interface in an attempt to spread. It seems this one is more successful. Secunia rates this worm as a medium risk, as does Trend Micro. Infected users will have the file SEXY.JPG dropped to their root folder. It contains an image that is probably intended to be humorous (courtesy of Trend Micro):

This will be displayed after the worm is executed.

File names for this threat are:

Bedroom-thongs.pif
Hot.pif
LMAO.pif
LOL.scr
Naked_drunk.pif
New_webcam.pif
ROFL.pif
underware.pif
Webcam.pif

Targeted users will see a window like the following when a the worm tries to send itself to them under the name of the infected user (courtesy of Trend Micro, click for larger view):

The worm also tries to spread to users of Windows Messenger. However, this fails, because built-in security features prevent it. The following text will instead be seen, with naked_drunk.pif being the file name:

The transfer of the file “naked_drunk.pif” has been blocked because it could be unsafe.

Worms like these generally spread amongst communities of MSN users, and regionalization of infection is not uncommon. According to Trend Micro statistics, 89.7% of infections so far originate from Asia. In fact, Taiwan alone counts for 60.8% of infections worldwide.

I can, however, attest to this worm being in the wild in the United States, though, which currently accounts for 6% of infections. I received a report from a user two days ago who said her computer was trying to send Webcam.pif. This was after the worm was isolated, but before a description was posted.

Fortunately, like past versions of Bropia, the author did not take the time to add a start-up routine. Rebooting the machine seems to remove this worm from memory. This means that it is likely the worm will become nearly extinct within a few months, depending on how quickly it is currently spreading.

In the meantime, though, it is worth keeping careful watch on.

Sober.K - Medium Risk

trafton — Mon, 31 Jan 2005 18:32:00 GMT

McAfee has gone Medium risk on the latest version of the Sober worm family, Sober.K. Due to illness, my coverage of this worm will be limited. I highly recommend checking out the McAfeeHelp topic here where they will be tracking this developing threat:

http://forums.mcafeehelp.com/viewtopic.php?t=40406

McAfee upgraded the worm to Medium at 9:37 AM Eastern this morning.

F-Secure calls this worm Sober.I, but otherwise names seem standardized. McAfee is the only company to rate this anything but low at this point.

Santy Worm - Upgrade to phpBB 2.0.11

trafton — Wed, 22 Dec 2004 23:11:00 GMT

PERL.Santy is a worm that utilized the search engine Google in order to search for vulnerable web sites running phpBB software. phpBB 2.0.10 is affected; 2.0.11 is not. Vulnerable web sites will have this at the footer:

Yet again, F-Secure's weblog did an excellent job of covering a major event:like this and I highly recommend it. Defaced sites typically display the text, in red, with varying fonts:

This site is defaced!!!
NeverEverNoSanity WebWorm generation x.

x here represents the number of infections that this worm has made before, similar to the generations in any human disease (thus not allowing us to know exactly the number of infections, since there can be multiple infections for each generation.) So far the highest generation that both Google and MSN show is 24.

Fortunately, Google has blocked the search string that Santy uses to spread, so further infections are unlikely. This was done around midnight GMT. Google sent F-Secure this reply:

While a seven hour response for something like this is not outrageous, we think we can and should do better. We will be reviewing our procedures to improve our response time in the future to similar problems.

This is a good response in my eyes and hopefully the .B variant, which has appeared, will do little.

However, all users running phpBB 2.0.10 should IMMEDIATELY upgrade to phpBB 2.0.11 as this exploit allows anyone to hack outdated sites, not just the Santy worm.

Zafi.D - High Risk at Secunia

trafton — Thu, 16 Dec 2004 22:59:00 GMT

The new Zafi.D worm is spreading rapidly and has earned a high risk at security company Secunia, which combines write-ups from various vendors and assigns them a risk.

Zafi.D was discovered on Tuesday, and has since then maintained a relatively steady spread rate, which has since declined slightly. Antivirus company Sophos, according to BBC News (WARNING: mildly offensive smilies within), estimates that at its peak spread Tuesday evening, the worm was in 10% of all emails sent.

One of the most notable features of Zafi.D is its multilingual abilities. This has allowed other worms to spread more significantly. Language is one of the more interesting aspects of virus spread: it allowed the Japanese worm FBound.C to become a worldwide outbreak with huge spread in western Europe, Canada, and the United States in March 2002 after curious people opened the attachment to the worm, which appeared as junk text to them. This also allowed the Mexican worm Mapson to become prevalent in the summer of 2003 among Hotmail users, especially in communities with both Spanish and English speakers.

Perhaps more likely to facilitate in the spread is the image of two smiley faces copulating between the words “Happy Hollydays [sic].” Contrary to what it should do (be a red flag that something is up), childishly semi-offensive imagery like this simply increases the chances that the worm will spread more. The Christmas theme only adds to this.

Once it gets onto your machine, Zafi.D is a fairly standard, not incredibly damaging worm. Like most worms of this day, it contains its own mailing server to spread itself and harvests email addresses from the host machine in the usual way (searching through files on the machine). Also featured are the now-standard P2P spreading capabilities and the equally common ability to shut down security programs.

I have received conflicting reports about the language abilities of Zafi.D; one report says that “outgoing email message bodies are either in English or Hungarian“ while another gives an example of the outgoing message body being in German. Despite the minor successes of local Hungarian worms like Magold, it is doubtful that adding Hungarian message bodies to the worm would increase its spread all that significantly from just using English.

The December month is typically breeding ground for holiday-related worms, such as Navidad, which appeared in November 2000 and became a major problem the month after, and the Ska (Happy99) worm, which offered a greeting for the 1999 New Years, and inexplicably remained one of the most common worms through 2001.

The moral of the story is, as usual, avoid opening Christmas cards from friends you never knew you had, or for that matter friends who probably would not be sending you Christmas cards in some weird sort of sub-English. And, of course, that any attachment, no matter who it is from, should be regarded with extreme suspicion.

Happy holidays, everyone, and please do be safe. :)

Resources for Zafi.D
McAfeeHelp.com - My fellow MVPs Harry Waldron and Jurren Bouman have here compiled a list of many known write-ups for Zafi.D, as well as news stories. An excellent portal to information for this threat.

Coverage of Sober.I/J Worm

trafton — Sat, 20 Nov 2004 23:38:00 GMT

Breaking News: Latest Sober Variant Continues Worldwide Spread

A new variant of the Sober worm family appeared on Friday. This latest version is known as Sober.I by all venders except for McAfee, which calls is Sober.J. For the purposes here, the worm will be referred to as Sober.I to conform to naming standards.

Like all versions of the Sober family, Sober.I is a polymorphic mass-mailing worm that uses a range of emails. However, unlike recent worms such as Netsky, Mydoom, and Bagle, Sober.I's polymorphism is limited. It contains only 13 possible subjects, 3 possible email bodies, and 2 possible attachment names with 5 possible attachment extensions (.exe, .com, .bat, etc.)

When the infected file is open, the worm will display a fake WinZip error message (courtesy of McAfee):

Most major antivirus companies have released descriptions. Courtesy Harry Waldron from the McAfeeHelp.com Forums:

http://secunia.com/virus_information/13463/win32.sober.i/
http://vil.nai.com/vil/content/v_130130.htm
http://www.sarc.com/avcenter/venc/data/w32.sober.i@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.I
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=40797
http://www.f-secure.com/v-descs/sober_i.shtml
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=54761&sind=0

Symptoms of infection include connections to web servers of mostly German origin. The Sober family is believed to have been written in Germany. Sober.I initially appeared in France, Germany, and Australia, but has since spread worldwide.

I'll continue following the spread of this worm in the unlikely event of a major further development.

Netsky.AG Goes Medium at McAfee

trafton — Sat, 16 Oct 2004 03:14:00 GMT

Worm Remains Low Risk Most Places

McAfee has given a rating of Medium Risk to a new mass-mailer, a variant of the Netsky family. The worm, which is similar in nature to past Netsky variants, is known as Netsky.AG. So far, McAfee is the only antivirus company to give the worm a medium risk rating. More information can be found here.

Bagle.AZ Goes Medium at McAfee

trafton — Tue, 28 Sep 2004 23:23:00 GMT

Breaking News: New Bagle Variant Spreading Quickly Worldwide

The latest variant of the Bagle worm, Bagle.AZ, has now been declared a Medium risk at McAfee due to increasing spread. For more information, see this link from the McAfeeHelp forums:

http://forums.mcafeehelp.com/viewtopic.php?t=32387

This is notably the first time McAfee has declared a Medium risk alert since MyDoom.S on August 15th. I personally received a copy in my Yahoo! email box this morning, and reports continue to come in that spread is increasing, although it seems unlikely at least at this point to become a major outbreak.

I will continue to monitor this developing threat. More information will be posted as it is made available.

Outbreak Alert for New MyDoom Variant

trafton — Tue, 27 Jul 2004 00:01:00 GMT

BREAKING NEWS: Mydoom Variant Medium-High Risk

At 9:25 AM Pacific Time, security company Secunia released a Medium risk alert for the latest variant of the Mydoom family, which is known by various names, including MyDoom.L, MyDoom.M, MyDoom.N, MyDoom.O, and MyDoom.R. The following are various vendor's aliases for this worm:

Computer Associates: Win32.Mydoom.O
F-Secure: Mydoom.M
Network Associates: W32/Mydoom.o@MM
Panda Software: Mydoom.N
Sophos: W32/MyDoom-O
Symantec: W32.Mydoom.M@mm
Trend Micro: WORM_MYDOOM.M

Contrary to the Secunia bulletin, Panada Software's Mydoom.M is an unrelated worm.

The following are vendor risks:

Computer Associates: High (4/5)
F-Secure: Medium (2/3)
Network Associates: Medium-On-Watch (2.5/3.5)
Panda Software: High (3/4)
Sophos: Unassigned
Symantec: High (4/5)
Trend Micro: Medium (2/3)
OVERALL: Medium-High (7.3/10)

Worldwide Spread
Trend Micro reports significant spread from Germany, Singapore, and the United States, indicating that it is likely this worm has already became common in all continents.

Recognition
Email messages appear similar to the following, although may be variable:

More Information
McAfeeHelp Forums (thanks to CD)
NAI Description
Symantec Description
Trend Micro Description
Panda Software Description
F-Secure Description
Computer Associates Description
Sophos Description

New Mydoom Variant Achieving Some Spread

trafton — Tue, 20 Jul 2004 02:37:00 GMT

L/N Variant in Wild Say Sophos and Symantec

Symantec is reporting W32.Mydoom.L@mm, which is the same virus as McAfee's W32/Mydoom.n@MM. They both currently call it a low risk, although Symantec also notes it is spreading in the field. Sophos also notes receiving "several" reports from the wild, indicating spread, although not an outbreak.

This worm can be considered low risk, although I am putting it on sticky because two companies have confirmed noticeable spread in the field.

More information is available at this topic.

Bagle Variants Keep on Coming

trafton — Mon, 19 Jul 2004 22:51:00 GMT

BREAKING NEWS: 3 New Bagle Variants Appear; 2 Medium Risk

I reported in the last post here that Bagle.AF has been assigned Medium-On-Watch risk at McAfee (it remains there.) However, since that, three new variants (.AG, .AH, and .AI) have appeared, and .AG and .AI are listed as Medium risk.

They are extensions on the standard Bagle theme, not varying too much from earlier variants. Typical modifications can be found here, with .AF and .AI seeming to have shifted toward an animal-related theme in the subject messages with which they mass-mail.

We're beginning to get some naming confusion here (which actually started in around .J but vendors are now trying to correct unsuccessfully), so to sort things up:

Variant “One”
Computer Associates: Win32.Bagle.AC
Kaspersky: I-Worm.Bagle.ah
Network Associates: W32/Bagle.ag@MM
Symantec: W32.Beagle.AC@mm

Variant “Two”
Computer Associates: Win32.Bagle.AD
F-Secure: Bagle.AH
Network Associates: W32/Bagle.ah@MM

Variant “Three”
Network Associates: W32/Bagle.ai@MM
Sophos: W32/Bagle-AI
Symantec: W32.Beagle.AG@mm

Although little is known about Variant “Two” (which is low risk at McAfee), variants “One” and “Three” appear to mass-mail with messages containing animal themes, such as “Dog,” “Fish,” “Lovely animals,“ or “Predator.” However, some unrelated subject lines exist too, such as “Cool_MP3” and “Garry.”

The remote access function remains in this version, relying on .php scripts hosted on a large number of sites, all with .de suffixes (Germany.) This suggests that, like Netsky, the Bagle worm was created in Germany. However, this may be a smokescreen, especially considering that .com and .net suffixes are also frequently used for German sites, and it is statistically unlikely that a random pool of German sites would all have the suffix .de. This indicates that there is a good chance the virus author intentionally chose only German sites.

More information about individual variants can be found under their various topics here:

http://forums.mcafeehelp.com/viewforum.php?f=23