04:22 PM

The Poetic Side Of Worms

Security experts say the newest variant of the Bagle worm includes an embedded poem--the latest jibe in the back-and-forth between Bagle and Netsky.

The author of the Bagle worm apparently has a softer side, security experts said Tuesday, as their analysis uncovered a poem embedded in most recent variant.

Bagle.z, dubbed Bagle.w by some, spread quickly enough Monday to cause most anti-virus firms to bump up their threat levels to "medium" or the equivalent, but it didn't seem to be spreading as fast Tuesday, said Craig Schmulgar of Network Associates' Avert team. "Unlike the Netskys, Bagles have tended to die out pretty quickly," Schmulgar said. "We're already seeing a decrease in numbers from yesterday."

Bagle's author--Schmulgar's convinced that only one person is putting out this line of worms--took the time to tuck a poem into the attached payload. "There is some text in the payload," confirmed Schmulgar, "but this time it's a little more obscure."

Here's the poetry that Bagle.z contains:

"Unique people make unique things That things stay beyond the normal life and common understanding The problem is that people don't understand such wild things, Like a man did never understand the wild life "

It's another round in the back-and-forth between Netsky's creators and the Bagle author. In the past, the worms' writers have traded barbs and trash talk, while Netsky's makers have sworn to keep up their work as long as new Bagles continue to appear.

According to analysis by F-Secure, Bagle.z takes a different tack to blast Netsky; it includes code that disables a range of Netsky's startup keys in the Windows registry, essentially killing it on the compromised system.

Bagle.z spreads via E-mail and by infecting network shared folders with the substring "shar" in their names. Its payload can be disguised with the file extensions .com, .exe, .scr, and .cpl, as well as within .zip archives.

"It does have a slight twist on earlier Bagles," said Schmulgar, "since it can also use a script within a .vbs file to drop in the executable."

Bagle.z can be spotted by the three-cherry icon--similar to what's on slot machines--that marks the attached file. It also attempts to disable a number of anti-virus, firewall, and security software it finds running on the target system, including products from Zone Alarm, Symantec, and Network Associates.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 24, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.