New variants of the prolific Bagle and Mytob worms prompted several antivirus firms to issue medium-level alerts Tuesday.
"At least three different Bagle-related downloaders have been massively spammed," F-Secure Corp. of Finland said on its Web site. "The spammed mails typically have no subject or body text, just an attachment such as 1.zip containing 19_04_2005.exe or similar. We currently detect all spotted droppers and downloaders as Bagle-BO." The spread was significant enough for F-Secure to issue a "Level 2" alert.
New York-based MessageLabs Inc. said it had intercepted almost 70,000 copies of one variant by Tuesday afternoon -- 45,769 of which were stopped over the course of one hour. "The virus appears to have originated from a Yahoo group," the firm said in an e-mailed statement. "[The downloader variant] drops a Trojan [horse program] that attempts to download Bagle from a vast list of locations."
Moscow-based Kaspersky Lab issued a "moderate risk" alert for the latest outbreak, which it also labeled Bagle-BO. "The content of these messages and the name of the .zip attachment are random," The firm said on its Web site. "The attachment contains the worm's executable file, called 16_05_2005.exe, which is approximately 17KB in size."
The Bethesda, Md.-based SANS Internet Storm Center Web site said, "The attachments [so far] appear to be named as a single-digit number .zip file [eg: '5.zip' or '7.zip'] or as a string [eg: 'Be_not_jealous.zip'] with a payload of '16_05_2005.exe' or '19_04_2005.exe.'"
Mytob-BI enters the fray
Bagle wasn't the only worm keeping AV providers busy Tuesday. Firms like Tokyo-based Trend Micro reported that a new Mytob variant was spreading quickly.
"Trend Micro has raised Worm_Mytob-BI to yellow alert status," the firm said in an e-mailed statement. "This is the fourth variant of the ever-popular family of worms to reach the alert stage, and the second this week to do so."
Trend Micro said it has only been 90 days since the first Mytob variant appeared. Since then, it said the worm "has managed to register over 125 new variants and is responsible for more than 65,000 worldwide infections."
Mytob variants pose as messages from IT administrators to trick users into executing the e-mail attachment. It usually tries to fool the user into thinking the message is about the suspension of his/her email account.