New versions of the Bagle worm are loose, prompting anti-virus companies to warn about the threat and push out a range of new signatures.
Three new versions of the worm that spreads through e-mail attachments have been spotted so far. McAfee rated two of them "medium" threats. Symantec and Sophos have also reported intercepting many samples of the new worms and advised customers to update anti-virus signatures as soon as possible.
McAfee's AVERT (Antivirus Emergency Response Team) spotted its first sample of Bagle.bb, one of the new variants, early on Friday morning. Since then, it has intercepted two more variants, dubbed Bagle.bc and Bagle.bd.
McAfee rates Bagle.bb and Bagle.bd "medium" threats, based on the number of submissions they received for each, said Vincent Gullotto, vice president of AVERT.
The new variants are almost identical to each other, but use slightly different versions of a compression program, known as a packer, to shrink the size of the virus, creating a different profile or "signature" that can fool some anti-virus programs, he said.
At Sophos, virus researchers have had "thousands" of reports of the Bagle.bb virus, which Sophos labeled Bagle.au, according to Graham Cluley, senior technology consultant at Sophos. Sophos has also captured copies of the two new Bagle variants, he said.
The first Bagle worm appeared on 19 January. Since then, more than 40 different versions of the worm have appeared. Like the first worm, all subsequent versions target systems running Windows, harvest e-mail addresses from infected machines and use their own SMTP to send virus-infected e-mail to addresses it captures. Bagle can also spread over P2P networks, planting files disguised to look like pornography or software in shared folders used by the networks, he said.
The new Bagle variants arrive in e-mail messages with forged or "spoofed" source addresses and vague subjects such as "Re:Hello," "Re: Thank you!" and "Re: Hi".
The new variants don't break any new ground in the world of virus design or "social engineering", the use of clever messages and e-mail subject lines to entice recipients to open the infected virus file, Cluley said.
Despite the large number of copies of the virus, Sophos reported few customer infections, he said. The large initial showing from the new Bagle worms could be due to a big distribution of the virus, or "seeding", through networks of compromised machines, Gullotto said.
After the initial blip, reports of the new Bagle worms should fade quickly as customers update anti-virus signatures and clean up infected machines, he said.