Bagel.z Worm Risk Raised to Medium

Rhett Pardon
CYBERSPACE – The Bagel.z worm – the mass mailing worm that harvests addresses from local files and then uses those addresses in the “from" field to send itself – includes not just code but poetry.

Network Associates on Monday raised the risk assessment to medium on the Bagel.z worm. Once it is activated, the worm copies itself to folders in the system directory that have the phrase "shar" in the name, such as common peer-to-peer applications, and adds a registry key to the system startup.

The Bagle.z variant is the latest in what appears to be a contest between the authors of two worms: Bagle and NetSky, according to industry experts.

A recent version of NetSky included a promise by the writer to keep creating new versions as long as the creator of the Bagle worm keeps revising that program.

The document attachment to the Bagel.z worm contains these four lines of text (all in upper case):

“UNIQUE PEOPLE MAKE UNIQUE THINGS … THAT THINGS STAY BEYOND THE NORMAL LIFE AND COMMON UNDERSTANDING … THE PROBLEM IS THAT PEOPLE DON’T UNDERSTAND SUCH WILD THINGS … LIKE A MAN DID NEVER UNDERSTAND THE WILD LIFE.”

Several versions of the Bagle worm were released in March; however, the program has not spread widely, according to Network Associates.

Santa Clara, Calif.-based Network Associates, which is planning to change its name to McAfee, said the most number of infected files were being reported from Europe.

The increase in suspicious activity within the last week has Internet security experts bracing for what some analysts warned could be the next big worm attack worldwide.

Continued access to peer-to-peer networks allows hackers to transfer much bigger files to and from compromised computers. New attack codes can remain dormant until updated instructions have achieved the desired level of distribution.

Meanwhile, Microsoft said Monday that a hacker program has surfaced on the Internet that exploits a Windows flaw discovered two weeks.

The attacks make use of a flaw in Microsoft's library of SSL programming code, the Redmond, Wash., company said in an alert on its website. SSL, or secure sockets layer, is an encryption technology for transmitting private documents on the Web, such as secure e-commerce Web pages and email.

Microsoft is offering patches for Windows NT, 2000 through Service Pack 4, Server 2003, 98, XP and ME and NetMeeting on its website.