domain-b.com : Bagel.U and Sober.E: not-so-friendly email viruses

	home > Infotech > IT news
	labels: it news



	Bagel.U and Sober.E: not-so-friendly email viruses news

	Our Infotech Bureau 29 March 2004

	Anti-virus software companies have alerted e-mail users about a new version of the Bagel virus, which is spreading through infected e-mail messages and targeting machines running the Windows operating system. Bagle.U is the 21st version of an e-mail worm that first appeared in January 2004. Network Associates Inc.'s anti-virus emergency response team (AVERT) has rated Bagle.U as 'medium' level threat, while anti-virus maker F-Secure Corp. of Helsinki has rated it as a "level 2" threat, which indicates large infections. As with the earlier versions of the Bagle worm, the virus code is contained in an executable (.exe) format file with a randomly generated name. The worm, hides in a file attachment to an otherwise blank e-mail message. Users must double click on the file to open it. According to F-Secure, once launched, the Bagle worm begins listening for instructions on communications port 4751 and connects to a Web site in Germany in order to report the identity of the infected machine to the worm's author. Bagle.U is programmed to stop spreading on Jan. 1, 2005. The attachment has an icon, which resembles a clock: Four new versions of the Bagle e-mail worm, the Bagle.Q, R, S and T did not carry file attachments to transplant the virus, but instead sneaked through a months-old Windows security hole to break into vulnerable machines. Sober.E ALIAS: W32/Sober.E@mm, W32.Sober.E@mm A new Sober.E worm was found in Germany on Sunday, March 28th, 2004. The worm is written in Visual Basic and the file is PE executable with its own SMTP engine, which it uses to send out infected e-mail messages. F-Secure says that when the worm's file is started on a clean system, it opens Paintbrush or Microsoft Paint application as a disguise and installs itself to the system. The Sober.E worm spreads itself in e-mails as an executable attachment or inside a ZIP archive. The worm uses the following strings as the subject line: 'Hi', 'hi', 'Hi :-)', 'Ok :-)','OK OK,', 'Ok ok OK!', 'Hey!','hey?', 'HEY' The message body can contain the following strings: 'thx', 'Thx!', 'THX', ';-)', 'ha!', 'HA', 'yo!', 'lol', 'LoL', 'LOL', ' Yo!' F-Secure says that the worm is currently under analysis. More information will be available soon.