A new variant of the Bagle worm is showing more prevalence than usual, according to anti-virus companies.
The new version is known by a variety of names: McAfee Inc. calls it Bagle.az, Trend Micro Inc. has dubbed it Bagle.AM and Symantec Corp. refers to it as Beagle.AR. All three companies have elevated the threat level for this worm because of increased submissions to their monitoring services compared with the average Bagle variant.
All the major companies offer protection against the worm. Symantec also has a removal tool.
Many e-mail programs, including Microsoft Outlook and Outlook Express will, in the default configuration, delete the infected executable attachment to the e-mail message in which the worm arrives.
According to Trend Micros description, the message comes from a spoofed address. The subject line is either "Re: Hi!," "Re: Thank you!," or "Re: Thanks :)," and the message body is always ":))." The message comes with an attachment with a file name of "Joke" or "Price," which has an extension of either ".com," ".cpl," ".exe," or ".scr."
Once the user runs the executable, it drops a copy of itself in the users Windows System folder and sets Windows to load it when the computer boots up.
The worm attempts to propagate by copying itself to shared folders for LANs and peer-to-peer networks, and through a conventional e-mail distribution using a built-in SMTP engine. It attempts to terminate a large number of security-related programs, such as anti-virus software.
In keeping with Bagle tradition, it also attempts to interfere with the Netsky worm by removing several registry keys used by Netsky and creating mutexes, which are variables in the operating system that Netsky checks for.