14 DAY TRIAL // The malware is back in business and it brings a couple of friends too, as a few spamming tactics are backing the distribution of multiple variants of the Trojan. IT security company F-Secure said that Bagle BB, BD and BE are spreading fast. The firm's senior security consultant Patrik Runald added that there is a "strong possibility" that the same person is behind all three.
Only a few hours after these three got spotted in the wild, yet another version of the Bagle virus has been detected, bringing the number of variants discovered yesterday to four and prompting security experts to warn that this could mark the start of a serious wave of virus attacks.
Grisoft, makers of the popular AVG Anti-Virus products, confirmed that its labs had detected Bagle.BM, joining other variants BB, BD and BE reported earlier today.
Bagle BB was spammed out in email overnight to as many as 100,000 people. F-Secure has issued a 'level two' alert about Bagle BB, which is a Trojan downloader. This variant does not send emails from infected machines, but drops files like 'winshost.exe' and 'wiwshost.exe', and attempts to disable a range of antivirus and security tools.
The Bagle BD variant works in a similar way, while the BE variant spreads in a more traditional way by email. Instead of harvesting email addresses from the infected machine to spread further, this variant access a web server on the internet. Bagle BD also tries to install a backdoor into infected machines.
Bagle.BM is a 34KB Windows executable file. It is attached to messages which come with an empty subject line. The body contains the words 'new price' or just 'price'. When a user opens the attachment it activates the worm, which copies itself to the Windows system directory and registers this file in the system registry.
Bagle.BM also terminates processes designed to protect the machine and the local network. This leaves the infected PC vulnerable to further attacks by malicious code, Grisoft warned.