Antivirus software companies are warning customers that new editions to the Bagle family of e-mail worms are spreading on the Internet, and depositing copies of the worm's source code on computers they infect.
Leading antivirus firms including Sophos, Symantec, and McAfee issued alerts about two new variants, W32/Bagle-AD and Bagle-AE, this week. The new tactic could place copies of the worm's core computer code on thousands of computers, and may be a sign that the author or authors are feeling the heat from the law, according to one security expert.
The new Bagle versions were first detected on Tuesday and are almost identical to each other and are very similar to earlier versions of the worm, according to Carole Theriault, security consultant at Sophos.
The virus spreads by sending itself in an attachment to addresses harvested from the hard drive of infected computers. E-mail messages generated by the worm used forged or "spoofed" sender addresses and vague subject lines such as "Re: Document," "Re: Thank you!" and "Update." Worm-infected file attachments might be in .zip, .exe, .scr, or other common formats and also have nonspecific names.
When run, the new Bagle worms display a message box with the title "Error! Can't find a viewer associated with the file." A copy of the original worm code is also deposited on the host machine in a file called sources.zip, Sophos says.
The decision to distribute the worm's source code is significant, Theriault says. It may indicate that they are growing nervous about being caught.
By distributing their worm code to thousands of Internet machines, the author or authors could plausibly deny responsibility for any worm code found on their machines, Theriault says.