Email-Worm.Win32.Bagle.bo
31 May 2005 18:35:00 +0300
Kaspersky Lab has detected several new versions of Bagle. Most of them are detected as Bagle.bo, with others being detected as Bagle.bp.
The first version of Bagle.bo was widely spammed on 31st May. Bagle.bo is almost identical to previous versions of the worm; however, a different packer is used. Since the initial spamming, another 8 versions have been released. Bagle.bo variants differ from each other only in terms of the packer used to compress the worm file.
The worm arrives as an attachment to infected messages. The content of these messages, and the name of the ZIP attachment are random. The attachment contains the worm's executable file - examples of file names include 03_05_2005.exe, 01_05_2005.exe and 19_04_2005.exe. These ZIP files are about 17KB in size, while Bagle.bo is approximately 36KB in size.
Bagle.bo variants include a list of URLs which will be checked periodically. Files placed on these sites may be new versions of Bagle, or other malicious programs which can then be installed on the victim machine. Bagle.bp is downloaded by Bagle.bo from one of these sites.
Urgent updates have been released to provide protection against all the new Bagle versions. Users are strongly recommended to download the latest updates.
A detailed description of Email-Worm.Win32.Bagle.bo is available in the Virus Encyclopaedia.