New Spawn of Bagle Worm Unleashed

Yet another version of the Bagle worm is on the loose and is already causing trouble in parts of Europe. Bagle.U appeared early Friday morning and has begun spreading quickly, even though it contains none of the social engineering tricks that Bagle's author has used to help previous versions succeed. This variant arrives in an e-mail with a blank subject line and no body text. The sending address, as always, is spoofed, and the name of the infected executable attachment is completely random. After execution, the worm mails itself to all of the addresses in the infected machine's address book.

Bagle.U does include a backdoor component that listens on TCP port 4751 and connects to a Web server in a German domain, www.werde.de, according to an analysis by the McAfee Security unit of Network Associates Inc., based in Santa Clara, Calif. Once it establishes a connection with the remote server, the worm generates a unique ID number for each specific infected machine and sends that number and the number of the port on which it is listening to the server.

The worm also is capable of downloading an updated copy of itself from the remote server or downloading a batch file that removes the worm from the infected PC.

Once resident on the system, Bagle.U will sometimes open the Hearts card game that is included with some versions of Windows. In other cases it will drop a file named Gigabit.exe into the Windows system folder. This file contains a copy of the worm.