Risk: Medium
Virus writers have released a new version of the Bagle worm, on the back of the source code released into the wild earlier in July.
Bagle-AF (AKA Bagle-AB or the 'Apprentice' worm) is spreading quickly across the Net, following its release. Most anti-virus firms rate it as medium risk.
The new Bagle worm was made using source code, which came with the payload of the Bagle-AA (confusingly, some firms refer to this as Bagle-AE) worm earlier this month. Including the source code in a virus is like adding DIY instructions for apprentice hackers, since it makes it easier for the less-skilled to make many more versions of new viruses.
Bagle-AF opens a path for intruders to relay bulk email messages through infected PCs. The worm tries to contact one of 141 compromised German web sites to let its creators know which PCs it has infected. The worm leaves a backdoor open on compromised computers, which can then be used to spread spam or as zombie drones in DDoS attack networks.
The latest variant of Bagle is little different from its predecessors. Like the others it normally arrives in an email as an attached file. It can also spread over P2P networks. The worm can arrive in the form of a password-protected .ZIP file, with the password included in the message body of an infected email or within an attached image. Earlier versions of Bagle used the same trick.
On infection, the worm begins emailing out copies of itself to any email addresses it finds on compromised PCs. Bagle-AF also tries to stop a range of security applications from running, along with any copies of NetSky it finds (continuing a long-running spat).
Standard defence precautions apply against virus attacks from all versions of the worm: users should update their AV signature definition files to detect the virus and resist the temptation to open suspicious looking emails.