New Bagle, MyDoom variants roil Internet

New versions of the Bagle and MyDoom worms surfaced on the Internet Monday, and appear to be spreading.

Bagle.AI and MyDoom.N are both so-called "mass mailing" worms that use a built-in SMTP (Simple Mail Transfer Protocol) engine that sends e-mail messages carrying worm-infected file attachments from computer to computer on the Internet, both using faked (or "spoofed") sender addresses, antivirus companies said.

The new worm variants are just the latest in a string of virus releases in recent days that have antivirus software companies scrambling to keep their customers protected.

W32.Bagle.AI first appeared Monday and is rated a "medium" threat by McAfee Inc.'s Antivirus Research Team, citing reports of the virus from customers. McAfee rated MyDoom.N a "low" threat, whereas Computer Associates International Inc. noted the prevalence and destructiveness of the worm.

Similar to earlier versions of Bagle, the AI variant spreads through shared file folders and in e-mail messages carrying the worm file as an attachment, according to advisories from Sophos PLC and McAfee.

E-mail messages generated by the worm used forged (or "spoofed") sender addresses and the subject line "Re:" Worm-infected file attachments might be in ZIP, EXE, SCR, COM or CPL and also have nonspecific names like "Moreinfo," "Details" or "Readme," antivirus companies said.

Infected file attachments use one of a short list of names including "MP3," "Doll" and "Cat."

The worm can also send copies of itself as a password-protected compressed file with a ZIP extension. The password needed to unzip the ZIP file is contained in a second file with a TXT, INI, DOC or other extensions, McAfee said.

The MyDoom.N worm uses spoofed sender addresses such as "postmaster," "Post Office" and "MAILER-DAEMON" that make the e-mail resemble a rejected message.

MyDoom.N messages also have nondescript Subject lines such as "hello," "hi" and "delivery failed." Virus file attachments have names like "readme," "mail," "text" and "attachment." File extensions include CMD, BAT, COM, EXE and ZIP, McAfee said.

Antivirus companies issued updated virus definitions that can detect the new Bagle and MyDoom variants and recommended that customers update their antivirus software.