Anti-virus software companies are again warning e-mail users about a new version of the Bagle virus, which is spreading on the Internet through infected e-mail messages and targeting machines running Windows.
Bagle.U is the 21st version of an e-mail worm that first appeared in January. Unlike earlier versions of the worm, the new variant eschews tricky subject lines or enticing messages, hiding in a file attachment to otherwise blank e-mail messages. Once opened, Bagle.U opens a back door to infected systems, mails copies of itself to e-mail addresses it steals from the user's computer and even launches the Windows Hearts card game, anti-virus companies said.
Thousands of copies of the new Bagle variant were first spotted on Friday, following what is believed to be an initial e-mail "seeding" of the virus, according to security company iDefense.
Citing the number of infected e-mails, Network Associates' Antivirus Emergency Response Team (AVERT) rated Bagle.U a "medium" threat. Anti-virus company F-Secure has rated it "level 2", indicating "large infections".
As with earlier versions of the Bagle worm, the virus code is contained in an executable (.exe) format file with a randomly generated name. Users must double click on the file to open it. This should help reduce the infection since many organisations automatically block .exe files.
Once launched, the Bagle worm installs itself, begins listening for instructions on communications port 4751 and connects to a website in Germany to report the identity of the infected machine to the worm's author, F-Secure reported.
Bagle is one of a series of worm families that have been plaguing e-mail users in recent months. New versions of Bagle, as well as MyDoom and Netsky, have been surfacing on an almost daily basis since January, prompting a frenzy of activity among anti-virus researchers who must identify and develop antidotes for each new variant.
Experts are at a loss to explain the recent proliferation of worms, though some have cited an apparent "war" between the authors of the Bagle and Netsky worms as the motivation for the release of many of the variants.
The latest is programmed to stop spreading on 1 Jan, 2005. However, at least one antivirus expert expects many new versions of Bagle to be released in the coming weeks. "Bagle.U will not be the last Bagle worm we see. Get ready to re-learn your ABCs as we head into the AA-Z series of Bagle worms," said Ken Dunham, director of malicious code at iDefense.
Multiple, contemporary variants of the same malicious code will help the latest worms succeed in the wild, Dunham said.