Two new Bagle worms are circulating, with antivirus vendors currently ranking W32/Bagle-U@mm as a medium risk and W32/Bagle-V@mm as a low-level threat.
The variants have very simple characteristics: a spoofed address; a blank message body and subject; and a randomly named .exe attachment for Bagle-U and an attachment for Bagle-V called game.exe.
"There is nothing compelling in the e-mail, literally nothing, to make a user click on the attachment," Ken Dunham, director of malicious code at Reston, Va.-based iDefense, said in a statement. "By simply having just an attachment, Bagle-U has already enticed thousands to open the malicious attachment."
According to UK-based e-mail security service provider MessageLabs, desktop antivirus products currently provide low protection.
When executed, Bagle-U attempts to open the Microsoft Hearts card game (mshearts.exe) on the target computer to conceal the infection, said Dunham. It then installs itself in the Windows System directory as gigabit.exe. When Bagle-V runs, it copies itself to the system folder, modifies the registry key and attempts to execute Dredr.exe, if it's present on the infected computer. Bagle-V avoids sending e-mail messages to addresses that contain the strings: @avp and @microsoft. Both install a backdoor Trojan horse that communicates on TCP port 4751 and perform a mass mailing similar to previous Bagle worm variants.
"While it's not unusual for there to be a large number of variants to a
Bagle targets Windows 2000, Windows 95, Windows 98, Windows ME, Windows NT and Windows XP.
Many antivirus vendors have released updated signatures to detect the variants.