New mass-mailing worm on the creep

Some administrators returning to work today after a three-day weekend are finding an unwelcome bagel waiting for them. A new mass-mailing worm, known as W32/Bagel-A or just Bagel.A, began spreading rapidly over the weekend in Europe.

Security experts predicted that the rate of infection could increase Tuesday as the workweek resumed in America after the Martin Luther King holiday.

According to iDefense Inc. of Reston, Va., Bagel.A began spreading late Sunday and by early Monday morning more than 50,000 interceptions had been made.

The worm contains the subject "Hi" and the message text reads "Test)".

"There's nothing particularly enticing about the message sent out by Bagel, yet it spreads with very good success in the wild," said Ken Dunham, director of malicious code at iDefense. "It appears that being brief and saying little, even if the content is vague and scarce, is a highly effective method for spreading malicious code."

Bagel also contains a spoofed "from" address and a 15.87K executable attachment with a random file name. When executed, the attachment attempts to create the file BBEAGLE.EXE in the Microsoft Windows System directory, disguising itself with the Microsoft calculator icon. It mass-mails itself to addresses harvested from the compromised computer and attempts to communicate via Port 6667 with a list of URLs.

William Jackson writes for Government Computer News magazine.