New Bagle variants on the prowl

The prolific worm arrives as a .zip attachment that's encrypted with a password. It spreads using randomly chosen names programmed into its code.

The prolific Bagle worm is rising once again this week, arriving in email inboxes as an encrypted .zip attachment. According to several antivirus firms, the new versions spread using randomly chosen names programmed into its code.

Finnish security firm F-Secure Corp. announced the latest variants in its blog Tuesday, saying, "One Bagle per day -- it isn't a diet, it's a way of life." The company said it usually receives new Bagle variants once or twice a week, but that in the past week it has received a new variant each day.

Russian antivirus firm Kaspersky Lab rated one of the latest variants, Bagle-FY, as a moderate risk and said it has been spreading rapidly in the past 24 hours or so. "Kaspersky Lab is receiving increasing numbers of reports … from users around the world," the firm said on its Web site.

UK-based Sophos said one variant, Bagle-KL, spreads as an encrypted .zip email attachment that even carries a password. The randomly generated numerical password is communicated to the recipient by embedding an image into the email, the firm said. It also spreads using a subject line randomly chosen from 118 different names programmed into its code. The list of names includes Ann, Anthonie, Constance, Emanual, Frances, Geoffraie, Harrye, Humphrie, Judith, Margerie, Michael, Nicholas, Robert, Winifred, Johen, and Thomas.

The .zip file titles include Edmund.zip, Nicholaus.zip, Dorithie.zip, Henry.zip, Daniel.zip, Nycholas.zip, Judeth.zip, Sybyll.zip, Winifred.zip, Bennett.zip, and John.zip. Encrypted inside the attached Zip file is a copy of the worm.

Sophos said the body of the email can contain phrases such as "I love you" or "To the beloved," with advice on the five-digit password that should be used to open the .zip file.

When run, Sophos said, Bagle-KL attempts to disable various security applications and download malware from one of 99 different Web sites. Many of those Web sites are based in Poland, Russia and the Czech Republic.

"Users would be wise to resist the temptation of opening unsolicited attachments, and ensure their antivirus protection is kept up to date," Sophos Senior Technology Consultant Graham Cluley said in a statement.

Dig deeper on Malware, Viruses, Trojans and Spyware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close