While everybody's busy watching the Nyxem.e sittuation around the world, the virus writers are hardly taking any break.

For the past two days we've been tracking an increase in the number of Email-Worm.Win32.Bagle.fj samples up to the point that it is now topping our malware statistics.

It is worth noting that out of the couple hundred different malware which have been spreading quite well using e-mail during 2005, 25% have been Bagle variants. More 2005 statistics in an upcoming report from KL.

We've just released detection for Trojan-Downloader.Win32.Small.cgx and Email-Worm.Win32.Bagle.fg. Samples of these have just appeared on a number of websites which most likely indicates upcoming Bagle activity during the next hours.

MD5s for these two are:

ce61b0e6d81fc51d9b4d5d81311f1bde - Trojan-Downloader.Win32.Small.cgx
35bdca59203212a44de95369238e4e50 - Email-Worm.Win32.Bagle.fg

It's two years to the day that the antivirus industry first encountered Bagle - Email-Worm.Win32.Bagle.a. Depending on your point of view, two years could be a long time, or a short time. But whatever position you take, one thing is certain - Bagle has evolved from a single worm into a criminal infrastructure, which is constantly searching for new victims to infect. Bagle has become a business, which is making real profits - clear motivation for cyber criminals. The authors of Bagle have continued to develop the worm's defences against its main enemy, the anti-virus industry. We've seen Bagle evolve from using primitive polymorphic code, to saving the password to an infected archive in graphical form, to the use of BlackLists. These last list users such as e.g. antivirus and network activity monitoring companies who are likely to attempt to download the latest Bagle variant via malicious links. If a user whose address is blacklisted attempts to download the latest Bagle, an error message will be returned instead of the malicious file.

Over the last two years we've detected more than 400 modifications of Bagle-related malware. All these malicious programs (Trojan-Proxies, Email-Worms, Trojan-Downloaders, SpamTool etc) are designed to steal information from victim machines, conduct mass mailings and other criminal activity.

As our users know, Kaspersky Lab releases two types of antivirus database update - standard updates, and urgent updates. Urgent updates provide rapid protection against possible epidemics and spamming of malicious programs. The graph below shows the number of urgent updates (axis Y) released every three days (in order to highlight the virus epidemics) throughout 2005 (axis X) we get the following picture:

It's clear that the highest number of urgent updates were released on days when Bagle was very active. During one attack, 21 new modifications were detected. The figures clearly show that users should continue to take the threat posed by Bagle seriously.

Last night was a busy one. Between yesterday evening and this morning, we intecepted 12 programs created by the authors of Bagle: 5 Trojan downloaders (classifed as Trojan-Downloader.Win32.Bagle.d - h) and 7 worms (Email-Worm.Win32.Bagle.eo - eu.)

All of this activity is with the aim of finding new machines to infect to keep the Bagle botnet running.

Our antivirus databases detect all the malicious programs mentioned above. As I say, it was a busy night.

This time, not surprisingly, it's Trojan-Downloader.Win32.Bagle.f

A few minutes ago the people who are maintaining the Bagle botnet started updating it. We've intercepted two new modifications of the Bagle family, and have added them to our antivirus databases as Trojan-Downloader.Win32.Bagle.d and Trojan-Downloader.Win32.Bagle.e. Updates will be released within the next few minutes.

The spamming continues. We have just detected the latest variant - Email-Worm.Win32.Bagle.ek

The Bagles are continuing to come in. We've detected 6 new variants so far, and just released an urgent update. The first 2 - 3 variants were agressively spammed. The others have been placed on sites and will be downloaded to victim machines. It's the latest move to keep the botnet up and running.

Everyone is getting tired of Bagle. But that's no reason to let your guard down. Don't open attachments, and (we'll say it again) keep your antivirus well up to date!

Over the course of the last hours we've been seeing a number of new Bagles massively spammed.

They are detected as Email-Worm.Win32.Bagle.ed-eg.

As before these Bagles don't have a functioning emailing routine.

These Bagles are likely to arrive in a .zip archive with both the archive as the executable having a random name.

Some quick info on the most common ones:(Note that filenames may vary)

File: Loader.exe - Email-Worm.Win32.Bagle.ee
MD5: 7b2f9ddebd027d54e36408c89804afdb
Size: 9728 bytes

File: t_535475.exe - Email-Worm.Win32.Bagle.ef
MD5: 8275444ac2caac4b90bfd07d0b2b17be
Size: 13312 bytes

File: text.exe - Email-Worm.Win32.Bagle.eg
MD5: 18ae7a2fa4dbbf703c3ae157f224186a
Size: 10752 bytes

As the previous post says, there have been a lot of new Bagle modifications in the last 24 hours. And they're continuing, either being spammed, or by previous versions downloading updates to themselves from the Internet. All of this frantic activity is aimed at maintaining the network of infected computers, by finding new victim machines, infecting them, and conscripting them into the network.

We've intercepted at least 20 new versions, and are now up to Bagle.dh. They are showing no signs of stopping at the moment.

As usual, our antivirus databases have been updated with detection for all the latest variants.