X

Bagle keeps on toasting PCs

Publicly available source code means the latest variant of the virus won't be the last.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
See full bio
Robert Lemos
2 min read
A new version of the Bagle computer virus started spreading on Monday among PCs connected to the Internet, and antivirus companies warned that more variants are sure to come.

The latest virus, called Bagle.AI by some antivirus companies and Beagle.AG by others, spreads through e-mail as an attached file, which infects a user's PC when opened. The virus is extremely similar to previous versions of the program but uses a different form of compression as a way to dodge virus defenses.

"It really looks likes someone took the source code and changed a small number of things and then re-released it," said Oliver Friedrichs, senior manager for antivirus company Symantec's security response team.

Symantec rated the virus as a three on its five-point scale, and rival McAfee called Bagle.AI a medium threat.

The latest Bagle virus is the fourth variation found by antivirus companies in a week. Earlier this month, the program's writer released a version of the virus that contained the source code, the computer commands that can be compiled to make the virus. Antivirus companies believe the move will lead virus writers to create a greater number of variants.

"When the source code is available, it opens up the door to anyone making changes and releasing a new variant," Symantec's Friedrichs said. "It lowers the bar quite dramatically."

Another program with publicly available source code, Agobot, has more than 900 variations.

Bagle.AI arrives in e-mail as an attached file and infects computers running the Windows operating system if the user opens the file. The program harvests e-mail addresses from the infected machine and sends out messages to every address, with itself attached. The "from" field in the e-mail is forged to confuse the source of the message.

Like a previous version, the program also attempts to stop more than 250 security applications from running on the computer and contacts one of nearly 150 German Web sites to let the attackers know of their latest conquest.

The virus also copies itself to any directory that bears a name containing the word "shar," a means of targeting users of peer-to-peer software and to spread across network shares.

Computers compromised by the virus will likely be open to exploitation by spammers.