New Bagle variants storm the internet

Latest versions of the Bagle worm have appeared in the internet, prompting anti-virus companies to warn customers about the...

Latest versions of the Bagle worm have appeared in the internet, prompting anti-virus companies to warn customers about the threat and to push out software updates to spot the new worms.

Three versions of Bagle have been seen by anti-virus companies, each similar to earlier forms of the worm, which first stormed onto the internet in January, spreading through infected e-mail file attachments.

McAfee rated two of the new worms "medium" threats. Other anti-virus suppliers, including Symantec and Sophos also reported intercepting many samples of the new worms and advised customers to update anti-virus signatures as soon as possible.

McAfee's Avert (Antivirus Emergency Response Team) spotted its first sample of, one of the new variants last Thursday (28 October). Since then, the company has received about 200 reports of the virus and intercepted two more variants, dubbed Bagle.bc and, according to Vincent Gullotto, vice-president of McAfee Avert.

McAfee rates and "medium" threats, based on the number of submissions they received for each, Gullotto said.

The new variants are almost identical to each other, but use slightly different versions of a compression program, known as a packer, to shrink the size of the virus, creating a different profile or "signature" that can fool some anti-virus programs, he said.

At Sophos, virus researchers have had "thousands" of reports of the virus, which Sophos labeled, by customers since early Friday, according to Graham Cluley, senior technology consultant at Sophos.

Sophos has also captured copies of the two new Bagle variants, he said.

The first Bagle worm appeared on 19 January. Since then, more than 40 different versions of the worm have appeared, according to Cluley.

Like the first worm, all subsequent versions target systems running Windows, harvest e-mail addresses from infected machines and use their own SMTP (Simple Mail Transfer Protocol) to send virus-infected e-mail to addresses it captures.

Bagle can also spread over P2P networks, planting files disguised to look like pornography or software in shared folders used by the networks, he said.

The new Bagle variants arrive in e-mail messages with forged or "spoofed" source addresses and vague subjects such as "Re:Hello", "Re: Thank you!" and "Re: Hi", according to McAfee.

The new variants do not break any new ground in the world of virus design or "social engineering", the use of clever messages and e-mail subject lines to entice recipients to open the infected virus file, Cluley said.

Despite the large number of copies of the virus, Sophos reported few customer infections, he said.

The large initial showing from the new Bagle worms could be due to a big distribution of the virus, or "seeding", through networks of compromised machines, Gullotto said.

After the initial "blip", reports of the new Bagle worms should fade quickly as customers update anti-virus signatures and clean up infected machines, he said. 

In addition to updating anti-virus software, users need to update their knowledge of proper e-mail hygiene, Cluley said. 

"Users have to understand that you don't double click on a file attachment and start thinking before they launch a file on their computer," he said.

Paul Roberts writes for IDG News Service

Read more on Antivirus, firewall and IDS products