The prolific Bagle worm is rising once again this week, arriving in email inboxes as an encrypted .zip attachment. According to several antivirus firms, the new versions spread using randomly chosen names programmed into its code.
Finnish security firm F-Secure Corp. announced the latest variants in its
Russian antivirus firm Kaspersky Lab rated one of the latest variants, Bagle-FY, as a moderate risk and said it has been spreading rapidly in the past 24 hours or so. "Kaspersky Lab is receiving increasing numbers of reports … from users around the world," the firm said on its Web site.
UK-based Sophos said one variant, Bagle-KL, spreads as an encrypted .zip email attachment that even carries a password. The randomly generated numerical password is communicated to the recipient by embedding an image into the email, the firm said. It also spreads using a subject line randomly chosen from 118 different names programmed into its code. The list of names includes Ann, Anthonie, Constance, Emanual, Frances, Geoffraie, Harrye, Humphrie, Judith, Margerie, Michael, Nicholas, Robert, Winifred, Johen, and Thomas.
The .zip file titles include Edmund.zip, Nicholaus.zip, Dorithie.zip, Henry.zip, Daniel.zip, Nycholas.zip, Judeth.zip, Sybyll.zip, Winifred.zip, Bennett.zip, and John.zip. Encrypted inside the attached Zip file is a copy of the worm.
Sophos said the body of the email can contain phrases such as "I love you" or "To the beloved," with advice on the five-digit password that should be used to open the .zip file.
When run, Sophos said, Bagle-KL attempts to disable various security applications and download malware from one of 99 different Web sites. Many of those Web sites are based in Poland, Russia and the Czech Republic.
"Users would be wise to resist the temptation of opening unsolicited attachments, and ensure their antivirus protection is kept up to date," Sophos Senior Technology Consultant Graham Cluley said in a statement.