Like previous versions of Bagle, the new Bagle.AQ worm spreads by sending out messages with an infected attachment compressed under the common Zip format. Both the name of the attachment and the body of the message are a variant on "price" or "new price."
Unlike earlier Bagles, the new version also packs in a 3-year-old piece of JavaScript code that, once executed, attempts to send the infected PC to various Web sites to pick up more Bagle code, said Vincent Gullotto, vice president of the antivirus emergency response team for security specialist McAfee.
Bagle.AQ started spreading Monday morning and quickly began bombarding some corporate e-mail systems with thousands of infected messages, Gullotto said.
"It made its way into the public eye in a rather grandiose fashion," he said.
Gullotto attributed the worm's fast start to use of the old JavaScript trick and initial distribution that included an unusually large number of e-mail addresses to target. "Someone has used a rather spamlike technique to get it going," he said.
Those same techniques should also ensure a relatively brief heyday for the worm, as e-mail security systems learn to block the variant, Gullotto said. "I don't expect it'll last more than 24 hours," he said. "Then it's onto the next pest."
The initial Bagle virus emerged early this year and appeared to be a fairly standard mass-mailing worm. But the pest has gone on to spawn dozens of variations, thanks partly to an apparent feud between the Bagle coder and the creator of the rival Netsky worm.
