Network administrators returning to work after the weekend can enjoy a fresh Bagle with their coffee — and no, it’s not that kind of bagel. On Monday, antivirus companies warned of another virulent new version of the Bagle e-mail worm, dubbed Bagle.AG.
The new Bagle version was first detected Saturday and is very similar to earlier versions of the worm, which spread through shared file folders and in e-mail messages carrying the worm file as an attachment, according to advisories from Sophos PLC and McAfee Inc. McAfee rated the virus a “medium” threat, citing reports from several customers.
E-mail messages generated by the worm used forged (or “spoofed’) sender addresses and vague subject lines such as “Re:,” “fotogalary,” “Lovely animals” and “Screen.” Worm-infected file attachments might be in ZIP, EXE, SCR or other common formats and also have nonspecific names like “Moreinfo,” “Details” or “Readme,” antivirus companies said.
Infected file attachments use one of a short list of names including “Foto3,” “Secret,” “Doll” and “Cat.”
The worm can also send copies of itself as a password-protected compressed file with a ZIP extension. The password needed to unzip the ZIP file is displayed in a bitmap image file that is embedded in the e-mail message’s body, Sophos said.
In recent months, virus writers have used ZIP archives and password protected archives to hide their creations and fool antivirus software trained to look for particular virus “signatures” like a file size or name. The compressed files are used to shrink one or more larger files, often for transmission on disk or over the Internet. Recipients must decompress or “unzip” the attachments to view the worm file, which they must open to become infected.
When run, Bagle.AG harvests e-mail addresses from files stored on the infected computer’s hard drive and installs its own Simple Mail Transfer Protocol engine, which is used to send out large volumes of infected e-mail messages from machines infected by the worm.
Like earlier versions of Bagle, the AG variant also copies itself to Windows folders that could be used by file sharing programs, using a long list of names to disguise the worm file as popular downloads on peer to peer file sharing networks like Adobe Systems Inc.’s Photoshop image editing program, the Matrix Revolutions film and pornography.
Antivirus companies issued virus definitions to detect the new Bagle version and recommended customers update their antivirus software.
