Other Bagle-infected PCs were used to spew junk e-mail. One piece of spam hawked cheap generic prescription drugs. Another advertised popular software titles -- including computer-security and anti-virus programs -- at fire-sale prices. Experts say most software sold through spam is pirated, and much of it is itself laced with viruses.
Alfred Huger, senior director of security response at Symantec, said most of the infected computers were seeded with additional software over a period of several weeks. "That kind of activity suggests that the people behind the Bagle worm are either running a vast criminal enterprise or they are loaning out their network" of infected PCs to other scam artists and spammers, Huger said.
at 10:45 AM
Unlike "network" viruses that exploit security holes, e-mail worms like Bagle trick people into opening e-mail attachments that contain the virus. Most worms can fake the "from" address so they appear to come from someone you know. If you receive an e-mail with an attachment that you weren't expecting, think twice before clicking the link. If the attachment filename ends in ".com," ".cpl," ".exe" or ".scr," it is almost certainly a virus. Most anti-virus software can scan incoming mail for viruses. You could also save the file to your computer and then scan it with anti-virus software.
Infected computers tend to operate sluggishly or erratically, though they sometimes show no obvious symptoms. If you are concerned that your computer could have a virus and don't have up-to-date anti-virus software installed, there are several free options:
Panda Software offers a service that will scan your computer remotely and remove any viruses it finds (works only with Internet
Computer Associates offers a free one-year subscription to its anti-virus product
McAfee also offers a free tool called "Stinger" that can search for and eliminate numerous pests from your computer
-- By Brian Krebs
It is common for attackers to sell or rent access to PCs they have compromised, according to Johannes Ullrich, chief technology officer for the SANS Internet Storm Center. In certain little-known underground chat rooms, a hacked computer in the United States can be rented for pennies per week.
However, hijacked PCs in some foreign countries often fetch a higher value because they are considered harder for authorities to shutter, Ullrich added. "We've seen the asking price go as high as $25 for a single compromised home system."
Recycling the Victim
One reason Bagle and hundreds of other so-called "mass-mailer" worms are so prevalent is that virus authors typically reuse machines they have infected to help spawn future incarnations of their creations. Last year, hackers released new Bagle versions roughly once a week, each time using thousands of hijacked computers to "seed" the Internet with initial copies of the virus.
Harta's Lee and many others responsible for maintaining the Web sites listed in Bagle's code acknowledged having inadvertently infected one or more of their personal or work computers with earlier versions of Bagle in the weeks leading up to the attacks on their sites.
The attackers likely located the victims' Web sites by using one of Bagle's built-in capabilities: eavesdropping on an infected computer's Internet connection for usernames and passwords that victims use to read e-mail, log in to bank sites or administer Web sites.
Anthony Flanagan, a real estate development planner in San Francisco, owns a laptop that was infected with the Bagle worm in early September. Two weeks later his site buckled under the traffic of Bagle-infected PCs trying to download software that attackers had planted on his site and laptop.
Flanagan's Internet service provider quickly pulled the plug on his Web site because it was crashing other sites operating on the same server. Flanagan said his site normally receives four or five visitors in a busy week, but when his ISP cut him off, the site was choking on more than 120 hits per second.
"I didn't know I was infected, or that it was even possible for the virus to make its way over to my Web site," he said.