Bagle virus takes aim at Microsoft

While only 120 computers in Australia were hit on the weekend by the latest variant of the Bagle virus (W32/Bagle-AU-Sophos), antivirus providers are warning that it is particularly nasty.

It has been designed specifically to override security controls in Windows XP SP2, disabling the client firewall and connection-sharing to make it the first variant targeting the SP2 patch for networked computers.

The virus also spreads through file-sharing networks, and opens a backdoor on TCP port 81 allowing for remote access.

It was first seen on October 29 and peaked in Australia on Saturday night (October 30).

MessageLabs reported finding 900,000 infections globally on Saturday night; however, the Trend Micro World Virus tracking centre noted that fewer than 120 computers had been infected in Australia and New Zealand by Monday morning, but that figure is expected to rise throughout the day.

Most of the infections have been found in North America, Italy, Japan and Europe.

Adam Biviano, Trend Micro senior systems engineer, said the virus is the next installment in the Netsky/Bagle virus war tweaked to play around with settings on Windows XP SP2.

"Bagle AU disables the Netsky virus and stops it running by taking away the register entries from the start-up, but it is easy to identify, it does look like earlier variants we have seen, almost a carbon copy despite the fact it turns off the firewall settings in SP2," Biviano said.

"Global traffic did spike on Saturday night but has tapered off today - we have not yet taken into account the machines that have not been used over the weekend.

"SP2 was designed around securing the Microsoft operating system but to stop Bagle you need to filter at the gateway or mail server."

Biviano said there is no evidence of the virus leaving source code in infected hard drives, nor was it designed as a mass mailing worm for release on Halloween.

Trend Micro currently issues a yellow or medium alert for rates of infection.

Paul Ducklin, head of technology at Sophos, said the fact the virus has had very little impact in Australia is not due to the virus being a variant but that people are more aware and educated when it comes to responding to suspect e-mails and using the necessary antivirus software.

"There have been relatively low activities in Australia since the virus was released and we have not found any infections in Australia, which means that people are less likely to fall victim to an outbreak than they were six months ago," Ducklin said.

"People have tended to be more serious, not just with software but working smarter and the fact users want to have protection up-to-date shows that Australian business have adapted and are now getting restrictive about e-mail, users are more informed and therefore viruses not hitting as hard."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about GatewayMessageLabsMicrosoftSophosTrend Micro Australia

Show Comments
[]