|W32/Bagle-AF can send itself in the form of an
encrypted Zip file.
Email-aware worm spreads as an EXE, CPL, SCR or ZIP file
Virus researchers at Sophos are warning users to beware of the
latest Bagle worm, Bagle-AF, which is
spreading steadily by email.
Although the worm uses a multitude of randomly generated subject
lines, message texts and attachments to confuse recipients, it
relies on the age old trick of duping users into double-clicking on
the attachment in order to spread. If run, the worm attempts to
disable anti-virus and other security products and opens up a
backdoor in the PC, enabling hackers to send out spam emails from
the compromised machine.
"Bagle-AF is hard to spot with the naked eye, but is very easy
to stop - either with up-to-date anti-virus software or by simply
not clicking on unsolicited email attachments," said Graham Cluley,
senior technology consultant, Sophos. "It's crucial to keep virus
protection regularly updated in order to keep systems virus free
and to ensure your PC doesn't become a spam factory without your
Much like previous Bagle worms, this latest version also causes
the infected computer to automatically send messages to a number of
German websites, suggesting the worm originated in Germany. Since
May 2004, when German authorities arrested Sven Jaschan,
the self-confessed author of the Sasser and Netsky worms, there has
been very little virus activity in this country.
"Earlier this year, we were seeing a Bagle worm every few days,
as its author fought a war of the worms with
rival virus writer, Sven Jaschan - the teenager responsible for
Netsky. However, since Jaschan's arrest, the German virus writing
community has pretty much gone to ground, with only a few low
impact viruses emerging," continued Cluley. "Bagle-AF's bold
appearance may signal that German virus writers have not been put
off - with luck their new found confidence will be their