Beagle/Bagel tries to mask its infection, noted Dunham, by opening the Windows calculator (the file 'calc.exe,' which is present on every Windows system). "Bagel does a great job of hiding the infection by loading calc.exe when executed. It even has the calculator icon for the file it creates in the Windows System directory, bbeagle.exe. The average user will think it's a simple calculator icon and think nothing of it."
According to analysis done by security experts, including Dunham and Gullotto's team at Network Associates, Beagle/Bagel also opens TCP port 6777 on compromised machines. That port, said analysts, could then be used by the remote hacker to execute commands on the machine or download additional malicious code to the system. Symantec's DeepSight Threat Management network -- a global system of network sensors the company uses to keep tabs on malicious code effects -- has reported a surge in activity associated with that port, due to Beagle/Bagel's spread.
Security firms have also reported that some users have been infected by the backdoor 'Mitglieder' Trojan horse, which Beagle/Bagel tries to download. Symantec, for example, warned its customers that the worm's code includes instructions to download a script from any of 36 URLs; that script "directs the compromised system to download and execute Trojan.Mitglieder," Symantec said in an e-mail alert.
Other than the potential for opening a system to remote attack -- or adding it to the worm creator's network of compromised proxies -- Beagle/Bagel's impact stems from its ability to propagate by harvesting e-mail addresses on target machines, then re-sending itself to those recipients. That may clog some service's and company's e-mail servers, said Dunham.
But Gullotto is convinced the worst is past on this one. "Since we first saw it debut on Sunday, it's shown a decrease [in prevalence] overnight. I think it's plateaued. We may see a small bump, but I expect that by Friday it will have run its course."