I’m getting quite a few warnings about a new worm called Bagle, so I thought I’d pass them along. MessageLabs, an email security company, says it’s currently spreading at an alarming rate. The first copy of the worm was intercepted from Germany, and at the moment the majority of copies are being captured as they are sent from Australia. It seems to have several bits to it:
The worm arrives as an attachment to an email with the subject line ‘Hi’ and has a random filename, with a .exe extension. W32/Bagle-mm searches the infected machine for email addresses and then uses its own SMTP engine to send itself to the addresses found. The worm makes a poor attempt to lure users into double-clicking on the attachment by using social engineering techniques.
Further analysis suggests that the worm includes a backdoor component that listens for connections from a malicious user and can send notification of an infected system.
It also appears that the worm may attempt to download a Trojan proxy component, known as Backdoor-CBJ. This Trojan is able to act as a proxy server and can download other code which could be used for key-logging and password stealing.
Here’s more on it from CNet.