Bagle author creates new outbreak

01 Mar 2005
Virus News

Kaspersky Lab, a leading security content management vendor, has detected a number of variants of Email-Worm.Win32.Bagle. These new Bagles are new variants of the same malware, only packed differently. One thing they have in common is that they don't self-replicate. In other words, these are so-called intended variants, not fully functional versions. However, somewhat paradoxically, we've seen large numbers of them during the course of the day. The reason is that they have all been mass-mailed out delibarately as spam.

The new Bagles were sent as attachment to infected emails with random or missing subjects and texts. The malware arrives as a Windows executable file. The name, format and size of the files are also random. It is difficult therefore to identify the infected emails using formal attributes, and we caution all users to be especially cautious when opening email attachments.

The malware is launched when the user clicks on the attachment: Bagle copies itself into the Windows system folder and creates a registry key. Bagle then stops processes that protect the infected machines and local networks, leaving them open to further attack.

Kaspersky Lab virus analysts have detected 15 pieces of malware by the author of Bagle. They are closely related and differ mostly in the packing routines. Therefore, Kaspersky Lab is detecting them all as Email-Worm.Win32.Bagle.pac. Detailed information and a description are available on Viruslist.com