Latest Bagle worm turns PCs into card-playing zombies, Sophos comments

March 26, 2004 Sophos Press Release

Sophos, a world leader in protecting businesses against viruses and spam, is warning computer users about the latest variant of the Bagle worm - Bagle-U (W32/Bagle-U). First seen in the early hours of today, the mass-mailer is spreading steadily across the globe.

Bagle-U has no subject line or message body, and the infected attachment has a randomly generated name. In an interesting twist, when the attachment is launched, the worm opens Microsoft's Hearts game on the infected PC. The worm also searches the computer's hard disk and sends itself to email addresses it finds. Able to open a backdoor onto infected computers, Bagle-U allows unauthorised remote users, such as hackers, to gain access. This backdoor might also be used to update the worm.

"The Bagle variants just keep on coming," said Carole Theriault, security consultant at Sophos. "By opening a backdoor, this latest version compromises an infected user's confidentiality, while potentially turning the computer into a zombie for hackers to use."

Continuing the theme of viruses with multiple variants, Netsky-P (W32/Netsky-P), first seen on 22 March 2004 is still spreading widely. The worm speads via email and shared folders, and with a trigger date of 24 March 2004, has begun to mass mail itself to harvested email addresses.

"Although the Netsky-Bagle battle for supremacy seen early this month has died down, Netsky-P seems to be continuing the fight, with attempts to disable variants of the Bagle worm," continued Theriault.

Sophos recommends companies protect their email with a consolidated solution to thwart the threats of spam and viruses as well as secure their desktop and servers with automatically updated anti-virus protection.