The new Bagle worm appears to have spread in South Africa last week affecting mostly small businesses and home users. ITWeb readers reported multiple infections in small offices, home PCs and at least one academic institution yesterday. However, the infection rate is still far lower in Souyth Africa than it is overseas.

The worm arrives in an e-mail from random senders and carries the subject line “Hi” and the signature “Test, yep”. The name of the attachment is also varied.IT administrators describe the worm as “clever” in that it pretends to be a “techie” test e-mail and often comes from an address the user knows, fooling them into running the attachment.

The worm is capable of harvesting millions of e-mail addresses and turning infected PCs into “spam machines”. It has spread throughout Europe and Asia, reaching the US and SA on Monday and Tuesday last week.

“When the worm is started, it connects to a list of predefined Web servers and tries to access a PHP file with certain parameters,” says Ryan Price, CEO of Y3K. “One of the parameters is the TCP port where the backdoor is listening, which suggests that this functionality is used to collect the addresses of infected computers.

“Each infected machine goes through the list of 35 servers (this might take a while if there are timeouts). Then it sleeps for 10 minutes and restarts.

“We’ve been parsing the httpd access-logs we got from one of the affected Web sites. So far there have been 5.2 million hits to the Web site, which is just one of the 35 Web sites which are attacked simultaneously. According to their traffic, most of the machines that connected to them were in Canada - around 12 200 with an estimated 793 065 hits. In the US, we saw 9992 machines, estimated at 590 590 hits, and SA was way down the list, with 135, so far estimated at 8775 hits.”