In-Depth

Briefs

New worm and Trojan software unleashed; purported PayPal mail carries worm

• By Mathew Schwartz
• 01/28/2004

Bad Bagle

A worm with unfortunate ties to Trojan software is still making the rounds since its recent discovery. Alternately known as Bagle or I-Worm.Bagle, the worm arrives as a 15 KB attachment with the subject line “Hi.” “Test,” plus a smiley face, appear in the body. The e-mail’s attachment, a Windows executable file, has a random name, as do the e-mail “sent to” addresses.

Anti-virus vendor F-Secure cautions the worm is “spreading aggressively.”

The worm, once executed, downloads and launches Trojan software known as Mitglieder, which turns the infected machine into a proxy server, e-mailing more copies of the worm to random e-mail addresses.

Luckily, every online resource the worm would use to download Mitglieder has been taken offline.

Anti-virus provider Kaspersky Labs notes, however, Bagle is still “using a technique standard for Trojan programs.” The program “scans the file system on infected machines for files with extensions wab, txt, htm and r1” to gather e-mail addresses. The worm then e-mails “copies of itself to all email addresses that it uncovers, using a built-in SMTP server.”

As always, users should update their anti-virus software.

Infected users can run Bagle removal tools available from several anti-virus vendors' Web sites.

F-Secure also verifies a method discovered by Joe Stewart of Lurhq will eliminate the worm. “Sending a specific byte sequence to port 6777 on the infected computers causes the worm to delete itself from the System Directory and terminate its process. The registry values are not removed but since the file does not exist Windows will ignore those,” says the company.

However, it cautions, “usage of this method against someone else's computers might be legally questionable.”

The Return of MiMail

A nasty Russian e-mail worm is hitting numerous e-mail boxes thanks to a recent spam push, reports Kaspersky Labs. The spam contains an attachment known as “small.cz” which, if executed, downloads via server a copy of MiMail.p.

“To date, isolated incidents of infection by this malicious software have been reported in various countries throughout the world,” says Kaspersky.

This version pretends it’s from PayPal, down to the sender (do_not_reply@paypal.com), a subject line mentioning PayPal, and an attachment named PayPal.exe.

Needless to say, the worm isn’t from PayPal.

“The new modification of the worm differs from previous versions only by the fact that it is compressed using UPX. This makes it more difficult for some anti-virus programs to detect Mimail.p,” says Kaspersky, though all major anti-virus software makers have since updated their products.

If users execute the attached file, it downloads MiMail.p. Then, says Kaspersky, the worm replicates by scanning directories to find e-mail addresses, then e-mails itself to those addresses.

The worm watches for usernames, passwords, and system information, then collects and forwards it to “a number of anonymous addresses belonging to the worm's author.” PayPal and E-Gold users also beware: the worm tracks any activity related to those sites, extracting “confidential information” and similarly forwarding it to the anonymous e-mail addresses.