Another variation of the long-running Bagle worm began spreading early Friday, bumping up warning levels from most security firms to their highest levels in over a month. Although three different versions of Bagle were launched almost simultaneously, one, dubbed Bagle.av, Bagle.at, Bagle.au, or Bagle.bb, is spreading the fastest.
"It started showing up around 2 a.m. today Eastern time," said Stefana Ribaudo, the product manager for Computer Associates eTrust security program, "and first spread in Europe. When U.S. offices opened between 8 and 9, it really took off."
Computer Associates, for instance received 100 submissions of the new Bagle within an hour, while it went straight to the top of F-Secure's list of the most common viruses during the past 24 hours. U.K.-based security vendor BlackSpider noted that more than a million e-mails carrying the new Bagle had been sent as of early Friday morning, London time. It's not uncommon for worms and viruses to be seeded in large spam-style mailings, often with the help of large networks of hijacked PCs where each machine mails just a few messages to escape detection.
Whatever it's named -- Bagles have proliferated to such a degree that there's no longer a common naming system among anti-virus vendors -- the worm is relatively easy to spot, say analysts. The subject line is typically "Re: Hello," "Re: Hi," or "Re: Thank you!" The worm is disguised as a .exe, .scr, .com, or .cpl file named "Price" or "Joke."
Like earlier Bagles, this one spreads by grabbing e-mail addresses from compromised machines and remailing itself with its own SMTP server. It also spreads via shared network folders.