Bagle Worm Returns for Anniversary

Virus writers have marked the one-year anniversary of the Bagle mass-mailing worm with an unwelcome surprise: new variants. Bagle's return has prompted leading antivirus vendors to issue advisories warning of the worm's spread classifying the worm as a "medium" risk.

At least three different variants have been discovered "in the wild" within the past 24 hours.

Bagle spreads by harvesting mail addresses from local computers that it has already infected and spreads itself by spoofing the "From" field to manipulate the trust of its intended victims. Infected e-mails contain an attached executable that, if run, opens remote access through port 2339. The worm also contains its own SMTP engine.

The most worrisome of the new variants are: W32/Bagle.bj@MM, alternatively known as Bagle.bj; W32.Beagle.AZ@mm, or W32/Bagle.AX@MM; W32/Bagle.bl@MM and W32/Bagle.bk@MM.

Within the past several hours, McAfee has raised its risk assessment for W32/Bagle.bj@MM to "Medium." W32/Bagle.bj@MM packs a modified version of the PeX program and McAfee has received over 100 reports of infection since the morning hours.

When asked about whether or not consumers are more protected from worms than they were one year ago, Phebe Waterfield, a senior analyst with The Yankee Group, told BetaNews, "Yes, but not on the AV side. Consumers are more protected by anti-spam solutions, which most ISPs have in place."

Antivirus vendors recommend that users run up-to-date virus protection to keep their systems safe and stop the worms from spreading.