• PC World
• »Security

A new version of the Bagle e-mail worm has surfaced and is spreading quickly among Internet users, antivirus and computer security companies warn.

The new worm goes by a number of different names and is very similar to earlier versions of the worm . But this latest incarnation also has new features that allow it to trick antivirus software and content filtering products, says Sam Curry, vice president of e-Trust Security Management at Computer Associates International.

Since the start of the year, a flurry of Bagle variations have popped up. Some experts believe a so-called "war" between rival virus-writers is behind the ongoing proliferation of Internet worms.

CA and others have released updated virus definitions, or "signatures," that spot the new variant. In addition, antivirus products that use heuristic technology to spot viruses may be able to spot the new variant without an updated virus signature, Curry says.

Bagle Arrived With Morning Bagel

Both CA and antivirus company McAfee rate the new version of Bagle a "medium" threat, citing increasing number of samples submitted by users.

CA detected the new Bagle, which it dubbed Bagle.AG, at around 9 a.m. Eastern time on Monday, when most workers are first having their morning coffee and bagel (the edible variety). The new worm may have been "seeded" through e-mail distribution akin to spam e-mail campaigns, says Helsinki-based antivirus company F-Secure. F-Secure, like McAfee, has labeled the new worm Bagle.AQ.

Submissions from CA customers accelerated on Monday afternoon, with more than 35 enterprises and 300 consumers submitting samples of the worm to CA.

Similar, But With a Twist

The new Bagle is nearly identical to earlier versions of Bagle. Like those earlier versions, it contains its own Simple Mail Transfer Protocol (SMTP) e-mail engine, gleans e-mail addresses from files stored on the hard drive of computers it infects, and sends copies of itself out to those addresses using forged (or "spoofed") sender addresses.

However, the new variant also has some new features that make it harder to catch, Curry says.

Among other things, the new worm injects a file known as a dynamic link library, or DLL, into Windows that allows the worm to disguise itself as Microsofta??s Internet Explorer Web browser. That allows Bagle to masquerade its actions as those of IE, fooling firewall software that may be running on machines it infects and that would block communications to other systems on the Internet from unauthorized applications. As a result, this Bagle version is able to request and download malicious files with impunity, Curry notes.

For companies that may use content-blocking products that inspect Web traffic, the new Bagle variant also has a feature that alters the names of files it requests in transit. For example, it can rename .EXE program files as innocuous files such as JPEG images, which content-filtering products typically allow. Once downloaded to the infected system, however, the new Bagle version renames and runs the .EXE files, Curry explains.

CA is still analyzing Bagle, but Curry believes that the new worm version is spreading, in part, by exploiting a vulnerability in a Windows feature for viewing and opening .ZIP compressed file archives. That vulnerability allows the worm to be installed if users simply view the .ZIP-format e-mail attachment containing the worm file using the Windows Explorer or the IE browser.