Internet Worm Lurks In E-Mail In-Boxes

By Brian Krebs
Special to The Washington Post
Tuesday, January 20, 2004

A new Internet worm that spread by e-mail through Asia, Australia and Europe began appearing in U.S. in-boxes yesterday, and experts warned it could spread as people go back to work after the Martin Luther King Jr. holiday.

The "Bagle" or "Beagle" worm arrives as an attachment to an e-mail with the subject line "Hi" and "test : )" in the body text. The worm is activated when a user clicks on the attached file.

Once the attachment is opened, the worm tries to send copies of itself to all of the e-mail addresses that it finds on the victim's computer, faking the return address with one randomly generated from those on the infected PC. It also installs a program that lets attackers connect to infected machines, install malicious software or steal files.

The worm could be the precursor to more evolved versions that could wreak havoc with small businesses and home Internet users, computer security experts said.

Carey Nachenberg, chief architect of Symantec Research Labs in Cupertino, Calif., said he expects the worm to continue its rapid spread as more Americans begin sorting through the e-mail that piled up in their in-boxes over the three-day weekend.

"This is coming on hard and fast, and that's usually a bad sign going into a shortened work week," Nachenberg said.

Bagle has spread to computers in more than 100 countries, according to MessageLabs, an e-mail security company in New York City.

FBI officials did not return telephone calls seeking comment on whether law enforcement authorities are investigating the worm's origins.

Bagle also tries to download an unknown program from one of more than 30 Web sites located mostly in Germany and Russia. None of those Web sites was reachable as of Monday afternoon.

A German Internet service provider that hosted one of the Web sites recorded nearly 1 million Internet addresses trying to connect to the site within a 24-hour period, indicating that as many as a million computers have been infected so far, said Tony Magallanez, a systems engineer for F-Secure Inc. in San Jose, Calif.

Magallanez said Bagle might be laying the groundwork for an updated version of the worm.

This is what happened with "Sobig," a worm that infected millions of PCs last year. The first version of Sobig appeared in January 2003, with new variants following soon after each previous version shut itself down. Sobig used entry points installed from previous versions of itself to seed hundreds of thousands of computers with software that turned them into remotely controlled spamming machines. Security experts said that Bagle is not spreading as fast as the Sobig virus, though it has generated a high volume of e-mail.

Like the earlier worms, Bagle does not affect Macs or computers running the Linux and Unix operating systems.

The computer security community recommends that home computer owners never click on attachments unless they are expecting them from a trusted source. They also recommend that PC owners install and run up-to-date anti-virus programs to scan for computer infections.

Brian Krebs is a reporter for

© 2004 The Washington Post Company