New Worm Variant Spreads, Clogging E-Mail

Tuesday, November 2nd 2004, 1:03 pm

By: News On 6

NEW YORK (AP) _ At least one new variant of a worm spread rapidly from Asia and Europe to U.S. computers Friday morning, filling up people's e-mail accounts, but otherwise causing little apparent damage.

Alex Shipp, senior antivirus technologist at the e-mail filtering company MessageLabs Inc., said the variant of the so-called Bagle worm was ``comparable in size to MyDoom,'' the virus that slowed Google and other Internet search sites in January. MessageLabs recently had received about 900,000 e-mails containing the virus. Ship estimates that MessageLabs receives about 1 percent of the e-mails containing a given virus or worm.

``We were seeing 165,000 an hour, but it's leveled off at 100,000 an hour, if you can call that leveling off,'' Shipp said.

Because multiple e-mails containing a worm or virus are often sent to one computer, it's difficult to estimate the number of affected users, said Shipp.

One software security company, McAfee Inc., said another variant of the Bagle worm was also quickly spreading Friday, but similarly did not seem to be destroying files or damaging software.

Both versions can be transferred through shared network files as well as through e-mail.

They attach themselves to files and then send themselves to e-mail addresses that they find on infected machines. Viruses or worms often use e-mail addresses from computers they infect to fool the recipients into opening an attachment.

If a recipient opens the attachment, the worm creates a so-called back-door, ``a small program that sits on your machine quietly listening for someone to contact it,'' said Kevin Hogan, senior manager of security response at Symantec Corp. A computer user who contacts the backdoor can transfer files between his machine and the infected one, Hogan said. The worm variants can also disable security software, experts said.

``It's pretty much a vanilla mass-mailing worm,'' said Hogan. ``It does a lot of the things that we've seen these sorts of worms do in the past.''

McAfee first received reports of the worm variants from Europe. Symantec said the first complaints it fielded were from Japan. Antivirus providers received a rash of reports of a worm in the United States at the start of the workday Friday.

Symantec, McAFee and Computer Associates International Inc.'s eTrust division had received no reports Friday of disabled files or other damage.

Much of the standard security software can readily detect and protect against these latest variants of the Bagle worm, which spreads through shared network files as well as e-mail messages, experts said.

``Most of the major antivirus vendors already have detection and so does Computer Associates,'' said Stefana Ribaudo, product manager for consumer products at Computer Associates' security division. ``Users are receiving the latest signature files from their vendors, which will keep them protected.''

McAfee said computer users who don't subscribe to antivirus software can go to its Web site download a free remedy, called ``Stinger,'' that will detect and remove the worm.