New Bagle worm spreading; source code is revealed 
Leading antivirus firms issued alerts about two new variants yesterday
News Story by Paul Roberts
JULY 07, 2004 (IDG NEWS SERVICE) - Antivirus software companies are warning customers that new editions of the Bagle family of e-mail worms are spreading on the Internet and depositing copies of the worm's source code on computers they infect. Leading antivirus firms, including Sophos PLC, Symantec Corp. and McAfee Inc., issued alerts about two new variants, W32/Bagle-AD and Bagle-AE, yesterday. The new versions could place copies of the worm's core computer code on thousands of compromised computers -- and that may be a sign that the author or authors of one of the most prolific worms in recent months are feeling the heat from the law, according to one security expert. 
First detected yesterday, the new Bagle versions are almost identical to each other and very similar to earlier variants, which spread through shared file folders and in e-mail messages carrying the worm as an attachment, said Carole Theriault, a security consultant at Sophos. 
When run, the new Bagle worms display a message box with the title "Error! Can't find a viewer associated with the file." Like earlier versions of Bagle, the new variants also harvest e-mail addresses from files stored on the computers they infect and have their own Simple Mail Transfer Protocol engines, which they use to send large volumes of infected e-mail messages. 
They also deposit a copy of the original worm code on the host machine in a file called sources.zip, Sophos said. 
E-mail messages generated by the worm used forged (or "spoofed") sender addresses and vague subject lines such as "Re: Document," "Re: Thank you!" and "Update." Worm-infected attachments might be files that have common formats such as .zip, .exe or .scr and feature nonspecific names like "Moreinfo," "Details" or "Readme," according to antivirus companies. 
While the new variants aren't as virulent as Bagle's earlier versions, the fact that the author or authors decided to distribute the worm's source code is significant, Theriault said. That tactic was pioneered by other virus-writing groups, including the group responsible for the MyDoom family of worms. The Mydoom.C variant, which appeared in February, deposited a copy of the Mydoom source code on machines it infected. 
The decision by the creator or creators of Bagle to do the same, after releasing 30 versions of the worm, may indicate that they are growing nervous about being caught. By distributing the Bagle code to thousands of Internet machines, the author or authors could plausibly deny responsibility for any worm code found on their machines, Theriault said. 
There have been high-profile arrests of worm and Trojan horse authors in recent months. In May, police in Germany arrested an 18-year-old and charged him with creating the Sasser worm, which appeared on May 1. That man is also being investigated on suspicion of creating the NetSky worm, German authorities said. 
For weeks in February and March, competing virus writers used dozens of worm variants to carry out a public war of words, with barbed messages buried in versions of the Mydoom, NetSky and Bagle worms. 
The Bagle and NetSky creators may have actually known each others' identities, making the arrest of the alleged NetSky author troubling for those behind Bagle, Theriault said. 
Antivirus firms advised customers to update their antivirus software to detect the new worms.