Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Hold That Bagel: New Worm Spreads: Page 2 of 4

Ken Dunham, the director of malicious code at iDefense, made much the same point. "There's nothing particularly enticing about the message sent out by Bagel, yet is spreads with very good success. It appears that being brief and saying little, even if the content is vague and scarce, is a highly effective method for spreading malicious code."

Beagle/Bagel tries to mask its infection, noted Dunham, by opening the Windows calculator (the file 'calc.exe,' which is present on every Windows system). "Bagel does a great job of hiding the infection by loading calc.exe when executed. It even has the calculator icon for the file it creates in the Windows System directory, bbeagle.exe. The average user will think it's a simple calculator icon and think nothing of it."

According to analysis done by security experts, including Dunham and Gullotto's team at Network Associates, Beagle/Bagel also opens TCP port 6777 on compromised machines. That port, said analysts, could then be used by the remote hacker to execute commands on the machine or download additional malicious code to the system. Symantec's DeepSight Threat Management network -- a global system of network sensors the company uses to keep tabs on malicious code effects -- has reported a surge in activity associated with that port, due to Beagle/Bagel's spread.

Security firms have also reported that some users have been infected by the backdoor 'Mitglieder' Trojan horse, which Beagle/Bagel tries to download. Symantec, for example, warned its customers that the worm's code includes instructions to download a script from any of 36 URLs; that script "directs the compromised system to download and execute Trojan.Mitglieder," Symantec said in an e-mail alert.

Other than the potential for opening a system to remote attack -- or adding it to the worm creator's network of compromised proxies -- Beagle/Bagel's impact stems from its ability to propagate by harvesting e-mail addresses on target machines, then re-sending itself to those recipients. That may clog some service's and company's e-mail servers, said Dunham.