Bagle Variants Keep on Coming
BREAKING NEWS: 3 New Bagle Variants Appear; 2 Medium Risk
I reported in the last post here that Bagle.AF has been assigned Medium-On-Watch risk at McAfee (it remains there.) However, since that, three new variants (.AG, .AH, and .AI) have appeared, and .AG and .AI are listed as Medium risk.
They are extensions on the standard Bagle theme, not varying too much from earlier variants. Typical modifications can be found here, with .AF and .AI seeming to have shifted toward an animal-related theme in the subject messages with which they mass-mail.
We're beginning to get some naming confusion here (which actually started in around .J but vendors are now trying to correct unsuccessfully), so to sort things up:
Computer Associates: Win32.Bagle.AC
Network Associates: W32/Bagle.ag@MM
Computer Associates: Win32.Bagle.AD
Network Associates: W32/Bagle.ah@MM
Network Associates: W32/Bagle.ai@MM
Although little is known about Variant “Two” (which is low risk at McAfee), variants “One” and “Three” appear to mass-mail with messages containing animal themes, such as “Dog,” “Fish,” “Lovely animals,“ or “Predator.” However, some unrelated subject lines exist too, such as “Cool_MP3” and “Garry.”
The remote access function remains in this version, relying on .php scripts hosted on a large number of sites, all with .de suffixes (Germany.) This suggests that, like Netsky, the Bagle worm was created in Germany. However, this may be a smokescreen, especially considering that .com and .net suffixes are also frequently used for German sites, and it is statistically unlikely that a random pool of German sites would all have the suffix .de. This indicates that there is a good chance the virus author intentionally chose only German sites.
More information about individual variants can be found under their various topics here: