Bagle source code is revealed

Antivirus software companies are warning customers that new editions to the Bagle family of e-mail worms are spreading on the Internet, and depositing copies of the worm's source code on computers they infect.

Leading antivirus firms including Sophos PLC , Symantec Corp. and McAfee Inc. issued alerts about two new variants, W32/Bagle-AD and Bagle-AE, on Tuesday. The new tactic could place copies of the worm's core computer code on thousands of compromised computers, and may be a sign that the author or authors of one of the most prolific worms in recent months are feeling the heat from the law, according to one security expert.

The new Bagle versions were first detected on Tuesday and are almost identical to each other, and very similar to earlier versions of the worm, which spreads through shared file folders and in e-mail messages carrying the worm file as an attachment, according to Carole Theriault, security consultant at Sophos.

When run, the new Bagle worms display a message box with the title "Error! Can't find a viewer associated with the file." Like earlier versions of Bagle, the new worm variants also harvest e-mail addresses from files stored on the hard drive of computers it infects and has its own SMTP (Simple Mail Transfer Protocol) engine, which is used to send out large volumes of infected e-mail messages from machines infected by the worm.

A copy of the original worm code is also deposited on the host machine in a file called sources.zip, Sophos said.

E-mail messages generated by the worm used forged (or "spoofed') sender addresses and vague subject lines such as "Re: Document," "Re: Thank you!" and "Update." Worm-infected file attachments might be in ZIP, EXE, SCR or other common formats and also have nonspecific names like "Moreinfo," "Details" or "Readme," antivirus companies said.

While the new variants are not as virulent as Bagle's earlier versions, the decision to distribute the worm's source code is significant, Theriault said.

The Bagle author or authors are copying a tactic pioneered by other virus writing groups, including the group responsible for the MyDoom family of worms. The MyDoom.C variant, which appeared in February, also deposited a copy of that worm's source code on machines infected by the worm.

The decision of the Bagle group to do the same, after releasing 30 versions of their worm, may indicate that they are growing nervous about being caught. By distributing their worm code to thousands of Internet machines, the author or authors could plausibly deny responsibility for any worm code found on their machines, Theriault said.

There have been high profile arrests of worm and Trojan horse program authors in recent months. In May, police in Lower Saxony, in northern Germany, arrested an 18-year-old and charged him with creating the Sasser worm, which appeared on May 1. That man is also being investigated on suspicion of creating the NetSky worm, German authorities said.

For weeks in February and March, competing virus writing groups used dozens of worm variants to carry out a public war of words, with barbed messages buried in versions of the MyDoom, NetSky and Bagle worms.

The Bagle and NetSky groups may have actually known each others identity, making the arrest of the alleged NetSky author troubling for those behind Bagle, Theriault said.

Antivirus firms advised customers to update their antivirus software to detect the new worms.