Antivirus companies warn of new Bagle variants

New versions of the Bagle worm rolled onto the Internet Friday, prompting antivirus companies to warn customers about the threat and to push out software updates to spot the new worms.

Three new versions of Bagle have been seen by antivirus companies, each similar to earlier forms of the worm, which first stormed onto the Internet in January, spreading through infected e-mail file attachments. McAfee Inc. rated two of the new worms "medium" threats. Other antivirus vendors, including Symantec Corp. and Sophos PLC also reported intercepting many samples of the new worms and advised customers to update antivirus signatures as soon as possible.

McAfee's AVERT (Antivirus Emergency Response Team) spotted its first sample of Bagle.bb, one of the new variants, at 11:30 p.m. Thursday Pacific Coast Time. Since then, the company has received about 200 reports of the virus and intercepted two more variants, dubbed Bagle.bc and Bagle.bd, according to Vincent Gullotto, vice president of McAfee AVERT.

McAfee rates Bagle.bb and Bagle.bd "medium" threats, based on the number of submissions they received for each, Gullotto said.

The new variants are almost identical to each other, but use slightly different versions of a compression program, known as a packer, to shrink the size of the virus, creating a different profile or "signature" that can fool some antivirus programs, he said.

At Sophos, virus researchers have had "thousands" of reports of the Bagle.bb virus, which Sophos labeled Bagle.au, by customers since early Friday, according to Graham Cluley, senior technology consultant at Sophos.

Sophos has also captured copies of the two new Bagle variants, he said.

The first Bagle worm appeared on Jan. 19. Since then, more than 40 different versions of the worm have appeared, according to Cluley.

Like the first worm, all subsequent versions target systems running Windows, harvest e-mail addresses from infected machines and use their own SMTP (Simple Mail Transfer Protocol) to send virus-infected e-mail to addresses it captures. Bagle can also spread over P2P (peer-to-peer) networks, planting files disguised to look like pornography or software in shared folders used by the networks, he said.

The new Bagle variants arrive in e-mail messages with forged or "spoofed" source addresses and vague subjects such as "Re:Hello," "Re: Thank you!" and "Re: Hi," according to McAfee.

The new variants don't break any new ground in the world of virus design or "social engineering," the use of clever messages and e-mail subject lines to entice recipients to open the infected virus file, Cluley said.

Despite the large number of copies of the virus, Sophos reported few customer infections, he said.

The large initial showing from the new Bagle worms could be due to a big distribution of the virus, or "seeding," through networks of compromised machines, Gullotto said.

After the initial "blip," reports of the new Bagle worms should fade quickly as customers update antivirus signatures and clean up infected machines, he said.

In addition to updating antivirus software, users need to update their knowledge of proper e-mail hygiene, Cluley said.

"You can patch your antivirus software, but you can't patch peoples' brains. Users have to understand that you don't double click on a file attachment and start thinking before they launch a file on their computer," he said.