Apr 27, 2004 (12:04 PM EDT)
The Poetic Side Of Worms

Read the Original Article at InformationWeek

The author of the Bagle worm apparently has a softer side, security experts said Tuesday, as their analysis uncovered a poem embedded in most recent variant.

Bagle.z, dubbed Bagle.w by some, spread quickly enough Monday to cause most anti-virus firms to bump up their threat levels to "medium" or the equivalent, but it didn't seem to be spreading as fast Tuesday, said Craig Schmulgar of Network Associates' Avert team. "Unlike the Netskys, Bagles have tended to die out pretty quickly," Schmulgar said. "We're already seeing a decrease in numbers from yesterday."

Bagle's author--Schmulgar's convinced that only one person is putting out this line of worms--took the time to tuck a poem into the attached payload. "There is some text in the payload," confirmed Schmulgar, "but this time it's a little more obscure."

Here's the poetry that Bagle.z contains:

"Unique people make unique things That things stay beyond the normal life and common understanding The problem is that people don't understand such wild things, Like a man did never understand the wild life "

It's another round in the back-and-forth between Netsky's creators and the Bagle author. In the past, the worms' writers have traded barbs and trash talk, while Netsky's makers have sworn to keep up their work as long as new Bagles continue to appear.

According to analysis by F-Secure, Bagle.z takes a different tack to blast Netsky; it includes code that disables a range of Netsky's startup keys in the Windows registry, essentially killing it on the compromised system.

Bagle.z spreads via E-mail and by infecting network shared folders with the substring "shar" in their names. Its payload can be disguised with the file extensions .com, .exe, .scr, and .cpl, as well as within .zip archives.

"It does have a slight twist on earlier Bagles," said Schmulgar, "since it can also use a script within a .vbs file to drop in the executable."

Bagle.z can be spotted by the three-cherry icon--similar to what's on slot machines--that marks the attached file. It also attempts to disable a number of anti-virus, firewall, and security software it finds running on the target system, including products from Zone Alarm, Symantec, and Network Associates.