Bagle bombing

Rapidly released variants of the Bagle worm have been reported worldwide. Over the past weekend, variants D, E, F, and G were discovered, with Bagle.H appearing on March 1, 2004. While many of the biggest antivirus vendors were slow to offer updates, Panda Software and BitDefender maintained constant vigilance throughout the busy weekend and released updates quickly.

Bagle variants D through E are functionally similar to the Bagle.C worm discovered February 27th, with only a few minor differences. The Bagle.E worm now includes a message body that may contain one of the following: "Request", "Empty", "Response", "Everything inside the attach", "Look it through", or "Cya". Also unlike Bagle.C, Bagle.E drops two copies to the Windows\System folder: godo.exe and ii455nj4.exe. Bagle.F through Bagle.H may send itself as a password-protected ZIP file, with the password included in the message body.

Update: As of March 2, 2004, Bagle.I and Bagle.J variants have been released into the wild, alongside new variants of MyDoom and Netsky. This appears to be a battle between virus writers, discussed further in War of the Worms.

Update: March 4, 2004: Bagle variants F, G, H, I, J and K all include the ability to send themselves as password-protected ZIPs. Antivirus software may detect these as either Bagle.Gen or Bagle-Zip.

Update: March 14, 2004: Bagle.M, Bagle. N, Bagle.O discovered; worms contain a polymorphic file infector.

Update: March 18, 2004: Bagle.Q, Bagle.R, Bagle.S, Bagle.T discovered. Read A fist full of Bagles for details or see specific descriptions below:

• Bagle.A worm description
• Bagle.B worm description
• Bagle.C worm description
• Bagle.J worm description
• Bagle.M worm description
• Bagle.N worm description
• Bagle.O worm description
• Bagle.P worm description
• Bagle.Q worm description
• Bagle.R worm description
• Bagle.S worm description
• Bagle.T worm description