Spawn of Bagle and Netsky roil Internet

Serial worm outbreaks continued on Tuesday as new variants of the Bagle and Netsky e-mail worms spread on the Internet.

Since Monday, antivirus companies identified two new versions of the Bagle worm, dubbed Bagle.H and Bagle.I, and a new version of the Netsky worm, Netsky.E, just hours after five new versions of Bagle and Netsky.D, a virulent new take on that worm, were released, antivirus companies said.

The new worms versions were rated "low" threats on Tuesday by Symantec Corp., indicating that they were spreading slowly. However, Network Associates Inc.'s (NAI's) McAfee antivirus unit increased its rating of Bagle.H from a "low" to a "medium" threat on Tuesday, based on an increased number of submissions from customers and other Internet users, said Brian Mann, outbreak manager at NAI's McAfee Antivirus Emergency Response Team unit.

NAI researchers are receiving a "couple hundred" Bagle.H submissions Tuesday, which roughly correlates to hundreds of actual infections. That prompted the rating change, Mann said.

Both new versions of the Bagle worm spread in ZIP files that require passwords to open, similar to the Bagle.F and Bagle.G variants that appeared over the weekend. The virus authors provide the password to unlock the ZIP in the e-mail message containing the virus.

Hiding their creation in a password-protected file allows authors to slip the virus by gateway antivirus filters, which cannot decode the file to read the signature of the virus inside, said Mann.

Some antivirus products can spot the virus by comparing information about the ZIP file attachment to known samples of the worm, he said.

Most new versions are modifications of previous versions, with slight changes to the subject lines, message text and attachments used to lure unsuspecting recipients, he said.

Antivirus experts don't know who is to blame for the flood of new worm variants that have appeared since mid-January, when Bagle and Mydoom first surfaced. Competing groups of virus writers may be behind the releases, using worms to battle for Internet turf that is measured in compromised hosts, Mann said.

Earlier versions of the Netsky worm removed copies of the Mydoom virus, which may be evidence of a kind of one-upmanship between virus authors, he said.

While the Bagle worm continued to throw off new variants, Netsky.D continued to assault e-mail in-boxes with virus-generated e-mail messages.

Symantec Corp. updated Netsky.D to a "severe" threat Monday, citing an "increased rate of submissions."

NAI researchers saw a decrease in the volume of Netsky.D mail on Tuesday, but still rate it a "medium" threat and expect it to "be around for a while," Mann said.

Researchers are also looking at the security risks posed by the viruses, many of which open communications ports on infected systems that can be used to upload malicious software or remotely control the infected systems, he said.