A new version of the infamous Bagle worm series is spreading widely across the net.

Bagle-AS (http://www.f-secure.com/v-descs/bagle_as.shtml) (AKA Bagle-AZ) normally arrives in emails with a price or joke-related (infected) attachments with exe, cpl, scr or com extensions. Subject lines are picked one of a series of innocuous greetings such as Re: Hello, Re: Thank you! or Re: Hi. Open these on a vulnerable Windows box and you get the pox.

The worm scours the hard disk of infected PCs for the email addresses of potential victims. In common with its siblings, Bagle-AS bulk-mails copies of itself to target addresses using its own SMTP (simple Mail Transfer Protocol) engine. The From: lines of these messages are spoofed.

Bagle-AS also spreads via P2P networks, such as Kazaa, by secreting copies of itself on the shared folders of infected PCs. The worm also tries to disable a range of security applications, along with any instances of the NetSky worm it finds on infected machines.

As with previous variants, Bagle-AS contains a backdoor that enables virus writers or their associates to control infected machines. Bagle-AS is a Windows-only risk. Most AV vendors rate Bagle-AS as a medium category nuisance. Standard precautions apply (vigilance about unsolicited messages, updating AV protection, tin-foil hats etc.) ®

Related stories

P-cube goes hunting for zombie PCs (http://www.theregister.co.uk/2004/09/22/p-cube_zombie_buster/)
Sasser author gets IT security job (http://www.theregister.co.uk/2004/09/20/sasser_kiddo_offered_job/)
New Bagle worm drops in and downloads (http://www.theregister.co.uk/2004/09/01/bagle_downloader/)
Price isn't right for new Bagle variant (http://www.theregister.co.uk/2004/08/10/bagle-aq/)