Two new versions of the Bagle e-mail worm are spreading on the Internet and through peer to peer (P-to-P) file-sharing networks, according to warnings issued on Thursday by antivirus software companies.
The latest Bagle variants, Bagle.AX and Bagle.AY, are the 50th and 51st versions of the original Bagle worm, which appeared in January 2004. Like the first Bagle, sometimes spelled “Beagle,” versions AX and AY spread in executable files and infect machines running Microsoft Corp.’s Windows operating system, antivirus companies said.
Users launch the worm and infect their systems by opening an infected file in an e-mail message or a shared folder on a P-to-P network, according to an alert from Symantec Corp.
Once released, the worm modifies Windows so that the worm file is launched whenever Windows starts. It also harvests e-mail addresses from the infected computer’s hard drives, then mails copies of itself out to those addresses, faking the “from” address on e-mail messages it sends, according to an advisory from F-Secure Corp. of Helsinki.
Copies of Bagle.AX and Bagle.AY arrive in messages with subjects such as “Delivery service mail,” “Registration is accepted” and “You are made active,” F-Secure said.
The virus file is disguised in files with exe, scr, com and cpl extensions and names such as “Jol03,” “upd02,” “zupd02” and the like.
On computers that are running P-to-P file sharing software, the virus copies itself into folders that begin with the letters “shar,” which could be file-sharing folders used to swap files on the networks. The worm file is disguised as popular software or pornography, with names like “Adobe Photoshop 9 full.exe,” and “XXX hardcore images.exe.”
Antivirus companies issued updated virus definitions that enable their products to detect the new versions of Bagle and advised customers to update their software as soon as possible.