Another in a seemingly endless string of variants to the computer virus known as Bagle was detected by researchers on Monday, but this one caused a bigger headache than most.
The virus was "seeded" through an initial massive spamming, according to antivirus firms. Perhaps hundreds of thousands of copies of the worm were sent out in the initial attack, giving the virus a forceful first few hours.
The new variant, dubbed Bagle.al, generated a glut of e-mails with the simple message "price" or "new price." Attachments to the e-mail were named with some variation of the word price, such as new_price.zip, price_new.zip, or price_08.zip.
Until recently, virus writers released their handiwork by posting their malicious programs in bulletin boards, chat rooms, or by sending a few infected e-mails. Generally, viruses would require a few hours, or even a few days, before they gained serious momentum -- giving antivirus firms time to concoct digital antidotes.
The blending of the spam and virus worlds, however, has given programmers a new set of tricks. Now, virus authors can use an army of already-infected PCs to launch their attacks, creating a swirl of activity and a wide swath of infections much sooner than in the past.
Attachment deliberately kept small
The Bagle variant released Monday seems to have taken this new tactic to a new level, said Vincent Gullotto, virus researcher at McAfee Corp.
"It made it's way around quite well," Gullotto said. "The initial push to get out in the wild was much heavier than usual."
Oliver Friedrichs, senior manager of Symantec's Security Response Team, said his firm was getting 150 submissions of the worm per hour.
Another trick the virus is using to fool users, Friedrichs said, is to keep the size of the initial e-mail small. When a recipient is tricked into clicking on the attachment, only a small portion of the malicious code is installed on the victim's machine. The rest is then downloaded from one of dozens of Web sites located around the world.
Many of the infecting Web sites are located in Russia, but the virus authors have spread their malicious code onto computers around the world. A list can be seen at Symantec's Web site. Researchers are busily disabling those sites.
"When these sites become unavailable, the worm will stop in its tracks," Friedrichs said.
F-Secure Corp. issued a level 2 alert -- not as serious as its level 1 alert -- on Monday morning after detecting the worm.
McAfee said the virus had not actually infected many machines. The firm received hundreds of submissions of the new variant in the first few hours on Monday, but 80 percent of them were the result of spam, not infections. Because of its low infection rate, the virus probably will die out within 36 hours, Gullotto said.
That's the good news.
Still, companies are being deluged by the spam, Gullotto said.
The virus is also clever enough to spoof, or replace, the "from:" line in the e-mails with the name of a sender that may be familiar to the recipient. That increases the likelihood that an unwitting Internet user might open the e-mail. Anitvirus experts urged caution.
"If you get an e-mail from your wife at work, and you don't normally get e-mails from your wife at work, don't open it," Gullotto said.
And the virus seems to be another probe, a test to see if the new tactic is effective, Gullotto said. While it may die out, the virus author will likely follow soon with another, similar worm.
"This is a sign of the times," he said. "This may become a trend for a long time."