Over the last few days, PandaLabs has detected the distribution of four new variants of the infamous Bagle family of worms (JN, JO, JP and JQ). Although in general they are similar to other examples of the same family, the JP and JQ variants try to evade detection from security solutions by hiding in password protected .zip files. Because of this, the emails used to spread Bagle JP and JQ have two attached files: one is the worm itself, while the other is a text file with the password needed to open the .zip file.
Even though none of the four variants have so far caused a significant number of incidents, the most worrying fact is the increased activity on the part of the creators of this malicious code, as they have in the past demonstrated the ability to cause serious epidemics with previous versions of the same worm.
Luis Corrons, director of PandaLabs explains: “Judging from the data we have so far gathered, the four worms are the work of the same people. It would seem that, once again, these criminals are trying to distribute as many examples as possible in order to increase the possibility of computers being infected. For this reason, it would be no surprise to see new variants of Bagle appearing over the next few days, and users are therefore advised to make sure they have a thoroughly up-to-date security solution installed.”
The Bagle worms are not only highly effective in spreading via email, they can also disable security solutions installed on computers. “This means that the creators of the Bagle worms are trying to prepare the ground for future attacks, as they know that infected computers will be particularly vulnerable to another new threat,” adds Corrons.