The Bagle worm, originally touted as a medium to high level threat, has been largely contained and has caused minimal damage, leaving question marks over the way in which antivirus companies classify new security threats.
The mass-mailing W32/BAGLE-A worm, also known as Bagle or Beagle, appeared on January 19 and spread by harvesting email addresses from computer hard drives, then mailing copies of itself out to those addresses, faking the "from" address on email messages it sends.
The worm arrives in an email file attachment with a randomly generated name and EXE extension. The worm also has a Trojan attached to it that effectively opens up communications port 6777 which allows remote hackers to access and control the exposed system.
Assessments of Bagle's threat varied widely on January 19. Symantec rated Bagle a Level 3 threat, meaning that the company considered Bagle "reasonably harmless and containable". F-Secure said Bagle was a "Level 1" threat on its virus radar, the highest level alert indicating a worldwide epidemic of a serious new virus such as Nimda.
“Its capacity of replication is high but the damage it causes is fairly low,” managing director of Symantec Australia/NZ, John Donovan, said. “It’s not difficult to detect, it’s not difficult to block, it requires user intervention to replicate, and as an EXE file it’s conspicuous. It’s a nuisance worm not a malicious worm so we [Symantec] didn’t see it as a high level threat.”
Donovan said that he had not been notified of any customers reporting damage caused by the Bagle worm, however, Symantec had tracked an increase in the activity on port 6777.
He said several antivirus vendors over-reacted to the Bagle worm.
Over-reaction by vendors does a disservice to the community and harms the industry as a whole, Donovan said.
“The security industry has a responsibility to ensure the information it provides on these types of threats is balanced and that common practices are in place,” he said.
IDC security software analyst, Natasha David, said that one of the problems that emerges when antivirus vendors notify the public of the latest security threats is the disparity in the way they define different threat levels.
“If it’s something that causes damage and propagates quickly it’s generally classified as a high level threat," he said. "If it just propagates quickly but is really just a nuisance rather than a malicious threat, it’s generally classified as a low-level threat.
“What seemed like a beat up by antivirus vendors after the worm emerged was simply vendors following security best practices.
“Because the vendors could not find an immediate fix, the next step is to inform the general public to try and minimise the spread of the virus.”
The mass-mailing Bagle worm marks a new trend in the transmission of viruses, David said.
“We’re seeing a lot of crossover between spam and viral activity," she said.
One of the reasons the Bagle worm spread so rapidly was because it was delivered using a kind of spam mechanism rather than just relying on people to open it.
"The spamming techniques allow virus makers to get to a lot of people immediately before the antivirus writers have time to come up with a fix. I think we’re going to see a lot more of this happening.”