The War of the Worms has taken a more sophisticated — and nastier — turn as three new variants of the Bagle virus were released overnight.
Security companies are warning that the variants — called Bagle P, Q and R — do not come as e-mail with attachments, and can infect vulnerable machines simply by being opened or previewed in an e-mail reader.
And instead of containing coded messages taunting whoever created the NetSky virus, the new Bagle variants have turned their attention to antivirus companies and end users.
The variants are exploiting a five-month-old vulnerability in Microsoft's Outlook e-mail program. The worm sends a message in HTML format that contains a URL, or Internet address, which automatically downloads an .html file, which in turn runs a program written in the Visual Basic programming language.
Microsoft issued a patch for the vulnerability in October. Security companies say that corporate users are more likely to have installed the patch, but that private users are more likely to have not.
Patched computers are safe from the new variants.
The new Bagle viruses do nasty things to computers they infect. They attempt to turn off all antivirus and security software and personal firewalls, and copy themselves to all folders with the word "shar" in them to tempt users of peer-to-peer networks, creating virus-laden files with names such as "Adobe Photoshop 9 full.exe," " Matrix 3 Revolution English Subtitles.exe" or "Windows Sourcecode update.doc.exe."
The worms open port 2556, according to a bulletin from security experts at F-Secure, and open a back door on the infected computer. They search the entire computer for e-mail addresses, using them to send copies of the worm with a built-in e-mail engine.
Security people at Sophos recommend updating antivirus programs, and urged more experienced computer users to block access to TCP Port 81, inbound and outbound, which would block the worm's e-mail traffic.
The Bagle family of worms, the first of which appeared in January, has been busy this year. Earlier variants required recipients to click on attachments, which would then spread the infection. But security software easily spotted the attachments, and so the next wave of Bagles sent the infection in an encrypted ZIP file, with the password included in the text of the message. But after security companies stalled those versions, the passwords were sent as small graphic files, where are more difficult to scan.
The Bagle Q variant appears to be the most successful of the new worms, anti-virus people at Sophos said, and along with Bagle R, it has spread extensively through Korea and the rest of Asia, as well as Australia. There are fewer reports of Bagle S, and there have been unconfirmed reports of activity from Bagle T.
Antivirus software maker Global Hauri called the Q, R and S variants "high risk," but AVERT, the antivirus labs of the McAfee antivirus company, sent out a "low threat" notice about them.
But as though the new Bagle variants weren't enough, AVERT labs have also sent out a warning about a new variation of a Trojan-horse virus called Phatbot or Agobot.
The Phatbot is extremely sophisticated, and connects victims to its own peer-to-peer network of infected machines. The Phatbot creator can exercise total control over the infected machine.
"Phatbot is dangerous because it is so feature-rich that you can do anything — it's probably the largest back-door we have ever seen in terms of features," Mikko Hyppönen, director of antivirus research at F-Secure, said in an interview with CNET earlier today. It has multitude of different methods of gaining access to a machine, including the back doors left by Bagle, MyDoom and Blaster.
"Phatbot is the Swiss army knife of Trojan horses," he said.
With files from CNET
