• silicon.com
• Technology
• Security

By Robert Lemos, 20 July 2004 07:55

NEWS A new version of the Bagle computer virus started spreading on Monday among PCs connected to the internet, and antivirus companies warned that more variants are sure to come.

The latest virus, called Bagle.AI by some antivirus companies and Beagle.AG by others, spreads through email as an attached file, which infects a user's PC when opened. The virus is extremely similar to previous versions of the program but uses a different form of compression as a way to dodge virus defenses.

Oliver Friedrichs, senior manager for antivirus company Symantec's security response team, said: "It really looks likes someone took the source code and changed a small number of things and then re-released it."

Symantec rated the virus as a three on its five-point scale, and rival McAfee called Bagle.AI a medium threat.

The latest Bagle virus is the fourth variation found by antivirus companies in a week. Earlier this month, the program's writer released a version of the virus that contained the source code, the computer commands that can be compiled to make the virus. Antivirus companies believe the move will lead virus writers to create a greater number of variants.

"When the source code is available, it opens up the door to anyone making changes and releasing a new variant," Symantec's Friedrichs said. "It lowers the bar quite dramatically."

Another program with publicly available source code, Agobot, has more than 900 variations.

Bagle.AI arrives in email as an attached file and infects computers running the Windows operating system if the user opens the file. The program harvests email addresses from the infected machine and sends out messages to every address, with itself attached. The 'from' field in the email is forged to confuse the source of the message.

Like a previous version, the program also attempts to stop more than 250 security applications from running on the computer and contacts one of nearly 150 German websites to let the attackers know of their latest conquest.

The virus also copies itself to any directory that bears a name containing the word 'shar', a means of targeting users of peer-to-peer software and to spread across network shares.

Computers compromised by the virus will likely be open to exploitation by spammers.

Robert Lemos writes for CNET News.com