Massive outbreak of aggressive new Bagle worm var.
FOR IMMEDIATE RELEASE
AUCKLAND NZ - October 29, 2004
Massive outbreak of aggressive new Bagle worm variant.
Today, a massive epidemic of an aggressive new Bagle worm hit the Internet, spreading fast and infecting thousands of machines.
At 07:51 this morning (Central European Time) a new virus was detected on NOD32’s Virus Radar project (www.virus-radar.com).
Initially, around 50 samples were detected in the first hour, but it quickly became obvious that the spread was going to be massive, as in the second hour, over 3400 were detected and further analysis showed that the virus was a new, and highly aggressive version of the Bagle worm, which NOD32 named Win32/Bagle.AS.
Subsequently, a further two variants were discovered - both detected with NOD32’s Advanced Heuristics - Bagle.AT and Bagle.AU, of which .AU is now also spreading.
Less than 2 hours after heuristic detection, at 09:40 (CET), an update was released to provide exact named identification and removal for each variant, and a description of the major variant Bagle.AS was posted to the NOD32 website.
“The massive proliferation of the new worm is probably due to it having its own mass-mailing routine. When the worm is active on an infected computer it will attempt to stop some antivirus and firewall applications running on the machine, so this will increase it’s chances of survival, as some products will not update and detect it.” said Andrew Lee, Senior Vice President of Global Support at NOD32.
Win32/Bagle causes a serious security breach by opening Port 81 on the computer and a random UDP port, and listens for instructions to be sent to it. The worm will be deactivated on an infected computer automatically after causing damage for 20 days. Based on the code analysis, the life cycle of the worm will end on April 25, 2006.
A free cleaning tool for the worm is available
Tracking the threat on the virus radar shows the rapid growth of this worm in hours after initial heuristic detection, as can be seen in this hourly breakdown.
29.10.2004 8:00 3409
29.10.2004 9:00 11235
29.10.2004 10:00 30424
29.10.2004 11:00 74236
Currently, the virus radar shows that around 1 in 20 messages contain the Win32/Bagle.AS worm
Rather fittingly, this morning, NOD32 received the news that they had been awarded their 29th VB100% award, a record breaking unbroken run, unmatched by any other anti-virus product, for detecting all viruses in the wild.
The exceptional advanced heuristic capabilities of NOD32, which at last measure, could detect over 88% of all viruses in-the-wild without the need for an update, are a major part of that success.