Three, and possibly four, new versions of the Bagle email worm have been spreading quickly on the internet as of Tuesday, security firms have reported.
MessageLabs, which monitors 110m pieces of email sent per day, found about 145,000 copies of just one of the new Bagle downloader variants. The company tracked about 4,000 copies of the one variant between 1pm and 2pm GMT, with the number spiked to nearly 42,000 copies in the next hour and 56,000 copies between 3pm and 4pm.
About 80 variants of the original Bagle worm, which first appeared in January 2004, have been released on the internet. The first of the new Bagle downloader variants MessageLabs tracked on Tuesday drops a Trojan horse program that attempts to download Bagle from a list of about 130 websites worldwide.
Computer users who activate the file attached in the email activate the virus, which harvests email addresses it finds on the computer's hard drive. The virus then forwards itself onto the list of email addresses on the infected computer.
In the first variant on Tuesday, the email carrying the Bagle worm had an empty subject line and body text, MessageLabs said.
It appeared to have started on a Yahoo webmail account, a spokesperson said. "Somebody wanted to refresh his botnets or email addresses," he said. "They want to keep up to date with the things they sell." Botnets are groups of compromised computers, controlled by hackers and often used in cyberattacks.
Antivirus vendor Symantec also reported seeing at least one new Bagle variant Tuesday, but found the worm was spreading less quickly than MessageLabs reported. Symantec noted only about 50 Bagle copies on computers with its virus-protection software installed.
Damage from the new Bagle variants should be minor as antivirus vendors react quickly to the attacks, said Ken Dunham, director of malicious code at iDefense Inc, another cybersecurity vendor. The first two variants seen Tuesday were tentatively dubbed Bagle.CA and Bagle.CB, which would make them the 79th and 80th Bagle variants.
"We're a long way down the line of Bagle worms," Dunham said. "It's very similar to former Bagle attacks."
Dunham encouraged computer users to update their antivirus software, use firewalls and avoid opening suspicious files attached to email. "Just because it looks like it was from your billing department, or it was from your friend, or it was porno, doesn't mean it is," he said. "Be careful on email. Don't trust anything."