/ 21 January 2004

M&G Online hit by e-mail worm

The Mail & Guardian Online was on Tuesday hit by a new e-mail worm that is quickly spreading around the world.

The worm, called Bagle or Beagle, was sent via the M&G Online‘s newsletter list and may have been passed on to some readers. A worm is a program that makes copies of itself — for example, from one disk drive to another, or by copying itself using e-mail or another transport mechanism.

The virus spread rapidly over the weekend, with several security firms issuing bulletins on it on Monday.

Most corporate firewalls and virus protectors would have blocked this worm, so many M&G Online readers would not have seen or been aware of the worm.

“If you received an e-mail from the DMG servers with the subject ‘Hi’ and message ‘test : )’ with a randomly named attachment (executable ‘.exe’), this may be the virus. Do not click on the attachment. If a user clicks on the attachment, the worm sends itself to the recipient’s e-mail address book. The worm also randomly selects a name from the address book to use as a return address in the messages it sends,” said M&G Online editor Matthew Buckland.

He added: “Our technical team has been working round the clock to solve the issue and plug the security gap, which has now been resolved.”

Although the virus does not appear to damage computers, experts are concerned that it installs a program on the computers of users who open the attachment.

This could enable the virus authors to send out barrages of e-mail advertising that could generate money. Experts say this is a relatively new development in viruses, which had been linked in the past to hackers trying to show technical prowess or expose security flaws.

“It seems perfectly possible that Bagle is yet another worm written by spammers,” says Mikko Hypponen of the Finnish-based security firm F-Secure.

“This way, they could first infect a large amount of computers. When they have enough, they could automatically install invisible e-mail proxy servers on each machine and start spamming through them.”

Network Associates, another security firm, called the virus a “medium risk”.

“The Bagle worm is an internet mass mailer that harvests addresses … and sends itself” to other recipients via e-mail, Network Associates said.

“The next recipient is thus unable to see the true sender.”

The e-mail arrives, often from a phony address, with the subject “Hi” and a text of random characters and the message, “Test, yep.”

It also has an attachment that, if clicked on, installs a program on the user’s computer.

The Virus Bulletin website said the worm does not appear dangerous now but should be monitored.

“At first glance, [Bagle] is not a particularly interesting virus from a technical point of view,” the website said.

“It is, however, tipped to be big, with vendors pointing out that it is already spreading fast and, like last year’s Sobig, has a built-in expiry date — possibly suggesting that improved versions will be released over the course of time.”

Helpful hints