Anti-virus software companies have alerted e-mail users
about a new version of the Bagel virus, which is spreading
through infected e-mail messages and targeting machines
running the Windows operating system. Bagle.U is the 21st
version of an e-mail worm that first appeared in January
2004.
Network
Associates Inc.'s anti-virus emergency response team (AVERT)
has rated Bagle.U as 'medium' level threat, while anti-virus
maker F-Secure Corp. of Helsinki has rated it as a "level
2" threat, which indicates large infections.
As
with the earlier versions of the Bagle worm, the virus
code is contained in an executable (.exe) format file
with a randomly generated name. The worm, hides in a file
attachment to an otherwise blank e-mail message. Users
must double click on the file to open it.
According
to F-Secure, once launched, the Bagle worm begins listening
for instructions on communications port 4751 and connects
to a Web site in Germany in order to report the identity
of the infected
machine to the worm's author. Bagle.U is programmed to
stop spreading on Jan. 1, 2005. The attachment has an
icon, which resembles a clock:
Four new versions of the Bagle e-mail worm, the Bagle.Q,
R, S and T did not carry file attachments to transplant
the virus, but instead sneaked through a months-old Windows
security hole to break into vulnerable machines.
Sober.E
ALIAS: W32/Sober.E@mm, W32.Sober.E@mm
A new Sober.E worm was found in Germany on Sunday, March
28th, 2004. The worm is written in Visual Basic and the
file is PE executable with its own SMTP engine, which
it uses to send out infected e-mail messages.
F-Secure
says that when the worm's file is started on a clean system,
it opens Paintbrush or Microsoft Paint application as
a disguise and installs itself to the system.
The Sober.E worm spreads itself in e-mails as an executable
attachment or inside a ZIP archive. The worm uses the
following strings as the subject line:
'Hi', 'hi', 'Hi :-)', 'Ok :-)','OK OK,', 'Ok ok OK!',
'Hey!','hey?', 'HEY'
The message body can contain the following strings:
'thx', 'Thx!', 'THX', ';-)', 'ha!', 'HA', 'yo!', 'lol',
'LoL', 'LOL', ' Yo!'
F-Secure says
that the worm is currently under analysis. More information
will be available soon.
|