Application security

New Bagle variant using .zip attachments

The ever-present Bagle worm again is making the rounds, this time spreading as an emailed .zip attachment encrypted with a password.

Sophos said in a statement Tuesday that it discovered a new version of the worm, which usually finds itself at or near the top of security firms’ list of leading viruses.

In the latest version, the Bagle variant spreads via email using a subject line randomly selected from a list of 118 different names programmed into its code, according to Sophos. Zip files are attached to the emails, and the worm is encrypted inside the files. The message body contains phrases such as "I love you" and a five-digit numerical password that recipients can use to unlock and download the bug.

Once activated, the worm disables security applications and downloads malicious code from one of 99 websites, based in foreign countries such as Poland, Russia and the Czech Republic, according to Sophos.

"The worm uses a randomly generated password for its email image and for the .zip file, in an attempt to evade email filters," said Graham Cluley, Sophos’ senior technology consultant. "Users would be wise to resist the temptation of opening unsolicited attachments, and ensure their anti-virus protection is kept up-to-date."

Finnish security vendor F-Secure said on its blog this week that it recently has received numerous reports of the worm.

"We usually receive new Bagle variants once or twice a week, but for the past week, we have received a new Bagle once per day," according to F-Secure.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.