Bagle, Netsky Variants Hit the Net

Serial worm outbreaks continued on Tuesday as new variants of the Bagle and Netsky e-mail worms spread on the Internet.

Since Monday, antivirus companies identified two new versions of the Bagle worm, dubbed Bagle.H and Bagle.I, and a new version of the Netsky worm, Netsky.E. These worms were discovered just hours after five new versions of Bagle and Netsky.D, a virulent new take on that worm, were released, antivirus companies say.

The new worms versions were rated "low" threats on Tuesday by Symantec, indicating that they were spreading slowly. However, Network Associates' McAfee antivirus unit increased its rating of Bagle.H from a "low" to a "medium" threat on Tuesday, based on an increased number of submissions from customers and other Internet users, says Brian Mann, outbreak manager at NAI's McAfee Antivirus Emergency Response Team unit.

NAI researchers are receiving a "couple hundred" Bagle.H submissions Tuesday, which roughly correlates to hundreds of actual infections. That prompted the rating change, Mann says.

Password Protected

Both new versions of the Bagle worm spread in .zip files that require passwords to open, similar to the Bagle.F and Bagle.G variants that appeared over the weekend. The virus authors provide the password to unlock the .zip in the e-mail message containing the virus.

Hiding their creation in a password-protected file allows authors to slip the virus by gateway antivirus filters, which cannot decode the file to read the signature of the virus inside, says Mann.

Some antivirus products can spot the virus by comparing information about the ZIP file attachment to known samples of the worm, he says.

Most new versions are modifications of previous versions, with slight changes to the subject lines, message text and attachments used to lure unsuspecting recipients, he says.

Searching for the Source

Antivirus experts don't know who is to blame for the flood of new worm variants that have appeared since mid-January, when Bagle and Mydoom first surfaced. Competing groups of virus writers may be behind the releases, using worms to battle for Internet turf that is measured in compromised hosts, Mann says.

Earlier versions of the Netsky worm removed copies of the Mydoom virus, which may be evidence of a kind of one-upmanship between virus authors, he says.

While the Bagle worm continued to throw off new variants, Netsky.D continued to assault e-mail in-boxes with virus-generated e-mail messages.

Symantec updated Netsky.D to a "severe" threat Monday, citing an "increased rate of submissions."

NAI researchers saw a decrease in the volume of Netsky.D mail on Tuesday, but still rate it a "medium" threat and expect it to "be around for a while," Mann says.

Researchers are also looking at the security risks posed by the viruses, many of which open communications ports on infected systems that can be used to upload malicious software or remotely control the infected systems, he says.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon