New Bagle Priced To Move

The new worm goes by a confusing range of names -- everything from Bagle.al and Bagle.am to Bagle.ao and Bagle.aq -- just one of the side effects of a long-running malware family and the inability of antivirus firms to agree on nomenclature.

By the end of the day, every security firm had pushed the Bagle to at least a "medium" threat, with Computer Associates assessing it as "high" due to its quick spread. Analysts believed that this Bagle was initially seeded via a large spam run.

Its distinguishing characteristics include no subject line, a one- or two-word message of "price" or "no price," and a zipped attached file. Users who open the zip or view its contents within Internet Explorer are infected.

Unlike nearly all worms -- and all Bagle variants -- this one doesn't include the actual worm payload, but instead downloads it from a number of Web sites. Only after it's retrieved a file -- an executable disguised as a .jpg image file -- does its built-in SMTP engine kick in and start kicking out copies to others via e-mail.

That leaves the worm vulnerable if the sites are shut down. As of Tuesday morning, several had been shuttered.

The newest member of the Bagle clan also can masquerade as Internet Explorer once on a system, side-stepping firewall defenses which typically allow IE to make outbound connections, and also can infect through file-sharing programs such as Kazaa, eDonkey and Limewire.

On the bright side, its run should be short. According to Computer Associates' analysis, beginning Tuesday the worm removes itself from the Windows registry and terminates. Files are left behind, said CA, but the worm will no longer run automatically.

*This story courtesy of TechWeb.com.