A worm's evolution

Tomer Honen eSafe CSRT, Aladdin Knowledge Systems Ltd.

Malicious codes come and go; some even spawn a few variants. The Bagle family of worms is perhaps the first group of viruses to show a steady curve of improvement from one cluster of variants to the next. The original and its initial 'reincarnations' demonstrated little original thought. The first version of the worm to show some innovation was Bagle.F, which was sent in the usual formats, but also as a password-protected archive (with the password included in the message body). Later versions used a dynamic message layout; then the worm became a polymorphic file-infector - a huge technological leap; then the password was gone from the body - replaced by an image of a password (to elude AV solutions which looked for the password in the message). Finally, the attachment was altogether gone - replaced by a script that automatically downloads and executes the worm.

While the first version of the worm could have been created by any novice coder, later versions showed superior coding abilities and some original thinking. It is both interesting and disturbing to study this unique development of a single worm and its variants. As this worm's code continues to be upgraded, it is anyone's guess what other features later versions of this worm will possess.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.