Success of Bagle Virus Puzzles Researchers

As new versions of the e-mail worm keep rolling out, administrators and virus researchers wonder why they still infect so many machines.

Several new variants of the venerable Bagle virus visited themselves upon corporate networks last week, frustrating administrators and virus researchers who continue to wonder why these worms can still infect thousands of machines after months of warnings.

None of the most recent variants is particularly innovative or clever in its social engineering efforts or infection methods. Many versions of the Bagle virus actually make it difficult for users to infect machines by requiring them not only to open an attachment but also to enter a password to launch the malware.

And no individual member of the Bagle family—which now comprises 35 variants—can lay claim to being much more than a footnote in the annals of worms and viruses. However, taken as a whole, the Bagle clan may have infected more PCs than any other virus group.

This has proved to be a source of endless vexation for virus researchers, who cant find any reason for Bagles continued success.

"Theres nothing particularly new. There are some incremental improvements in some of the variants," said Sam Curry, vice president in the eTrust division at Computer Associates International Inc., based in Islandia, N.Y. "Its almost like an application before and after its gone through the QA [quality assurance] process in a normal development process. The grammar is cleaner; the compiled file is smaller."

/zimages/5/28571.gifFor insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

The latest batch of Bagles began arriving July 15 with Bagle.AF, and three more variants had appeared by July 19. All the worms had the familiar characteristics of typical mass mailers, and some contained password-protected Zip files. The subject lines and names on the attachments are random and sometimes nonsensical, making it all the more stupefying that thousands of people open the infected files.

Decision 04

The race to infect the most PCs is heating up again

Worm Variants


Netsky 30


MyDoom 14

Source: McAfee Inc.

Many virus researchers have said for months that the respective authors of the Bagle and Netsky worms are competing against one another for attention and notoriety.

Earlier this year, the people or groups responsible for the Netsky and Bagle worms began a short but intense war of words and variants. The two sides took shots at each other through messages tucked into the code of their creations, denigrating their rivals coding skills and bragging about their own expertise.

In the span of about a week, several new variants of both Netsky and Bagle appeared, and virus experts worried that the escalating hostilities between the two sides would lead to massive infections across the Internet.

While many of the variants were, in fact, successful in spreading fairly widely, none reached epidemic proportions, and the dispute soon disappeared, as did both Netsky and Bagle, until recently.

"Its a real ego game for these guys," Curry said. "Its a twisted sort of human behavior, but it can be handled. Its up to the security providers to find better ways to prevent these things."

/zimages/5/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.


Be sure to add our security news feed to your RSS newsreader or My Yahoo page: /zimages/5/19420.gif