Anti-virus firms warn of latest Bagle.AG threat

Anti-virus companies have warned of another virulent version of the Bagle e-mail worm, called Bagle.AG.

Anti-virus companies have warned of another virulent version of the Bagle e-mail worm, called Bagle.AG.

The latest Bagle version was first detected on Saturday and is very similar to earlier versions of the worm, which spreads through shared file folders and in e-mail messages carrying the worm file as an attachment, according to advisories from Sophos and McAfee. McAfee rated the virus a "medium" threat, citing reports from several customers.

E-mail messages generated by the worm used forged (or "spoofed') sender addresses and vague subject lines such as "Re:", "fotogalary", "Lovely animals" and "Screen".

Worm-infected file attachments might be in Zip, EXE, SCR or other common formats and also have nonspecific names like "Moreinfo", "Details" or "Readme", anti-virus companies said.

Infected file attachments use one of a short list of names including "Foto3", "Secret", "Doll" and "Cat".

The worm can also send copies of itself as a password-protected compressed file with a Zip extension. The password needed to unzip the Zip file is displayed in a bitmap image file that is embedded in the e-mail message's body, Sophos said.

In recent months, virus writers have used Zip archives and password protected archives to hide their creations and fool anti-virus software trained to look for particular virus "signatures" such as a file size or name.

The compressed files are used to shrink one or more larger files, often for transmission on disc or over the internet. Recipients must decompress or "unzip" the attachments to view the worm file, which they must open to become infected.

Bagle.AG harvests e-mail addresses from files stored on the infected computer's hard drive and installs its own SMTP (Simple Mail Transfer Protocol) engine, which is used to send out large volumes of infected e-mail messages from machines infected by the worm.

Like earlier versions of Bagle, the AG variant also copies itself to Windows folders that could be used by file sharing programs, using a long list of names to disguise the worm file as popular downloads on P2P file sharing networks like Adobe Systems' Photoshop image editing program, the Matrix Revolutions film and pornography.

Anti-virus companies issued virus definitions to detect the Bagle version and recommended customers update their anti-virus software.

Paul Roberts writes for IDG News Service

Read more on IT risk management